Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1435128
MD5: 7318bf9884fb2c2c5fd8cd433ec1365b
SHA1: ee3c29a40f2a55c915305535a1d9bd604d6ed2ee
SHA256: 26f4752c9c6e47f46a1542f0d3fb360cc90250b5106135c43d66ad096833b1c7
Tags: exe
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Country aware sample found (crashes after keyboard check)
Found evasive API chain (may stop execution after checking computer name)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2121740390.000000000044D000.00000004.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
Multi AV Scanner detection for domain / URL
Source: https://95.217.245.42:9000 Virustotal: Detection: 11% Perma Link
Source: https://95.217.245.42:9000/sqlx.dll Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 38% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00406252 CryptUnprotectData,LocalAlloc,LocalFree, 1_2_00406252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004061EF CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_004061EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040825F memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat, 1_2_0040825F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00402420 memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA, 1_2_00402420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040F82E CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 1_2_0040F82E
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 184.87.56.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00439DD6 FindFirstFileExW, 0_2_00439DD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 1_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_00414960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose, 1_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 1_2_0041433D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199680449169
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 95.217.245.42:9000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 95.217.245.42 95.217.245.42
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00404165 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_00404165
Source: global traffic HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000001.00000002.3278458435.0000000001246000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enlX
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283775993.000000001C35D000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42/C
Source: 76561199680449169[1].htm.1.dr String found in binary or memory: https://95.217.245.42:9000
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001358000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/.245.42:9000/softokn3.dllessionKeyBackward
Source: RegAsm.exe, 00000001.00000002.3278842283.0000000001405000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/0
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/B
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/C
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/D
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/T
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/freebl3.dll
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/ing
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/l
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dll
Source: RegAsm.exe, 00000001.00000002.3278894870.0000000001428000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dll-
Source: RegAsm.exe, 00000001.00000002.3278894870.0000000001428000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dllT
Source: RegAsm.exe, 00000001.00000002.3278894870.0000000001428000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/msvcp140.dll
Source: RegAsm.exe, 00000001.00000002.3278894870.0000000001428000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/msvcp140.dll8
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/msvcp140.dllEdge
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dll
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dlloft
Source: RegAsm.exe, 00000001.00000002.3278913269.0000000001432000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3278894870.0000000001428000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/softokn3.dll
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/softokn3.dllEdge
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000516000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/sqlx.dll
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll1
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll7
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllO
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllk
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllp
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:90006e311gle
Source: RegAsm.exe, 00000001.00000002.3277978801.00000000005F4000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000GH
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000al
Source: RegAsm.exe, 00000001.00000002.3277978801.000000000055A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000ming
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199680449169[1].htm.1.dr String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000001.00000002.3278458435.0000000001264000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&a
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000001.00000002.3278458435.0000000001264000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqw
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_Vry
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&l=e
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://help.steampowered.com/en/
Source: 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000001.00000002.3278458435.0000000001246000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/D?
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.2121740390.000000000044D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3278458435.0000000001246000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/
Source: 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, file.exe, 00000000.00000002.2121740390.000000000044D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3277978801.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/r1g1o
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000001.00000002.3278842283.000000000141F000.00000004.00000020.00020000.00000000.sdmp, JKECGHCF.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000001.00000002.3278592972.0000000001275000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3277978801.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.1.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 184.87.56.26:443 -> 192.168.2.5:49705 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040FD7F _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 1_2_0040FD7F

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.file.exe.44f030.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.420000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.44f030.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000001.00000002.3277978801.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0046B0A0 0_2_0046B0A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004352E6 0_2_004352E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043C43B 0_2_0043C43B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004694DB 0_2_004694DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042F5D0 0_2_0042F5D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042C5FB 0_2_0042C5FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042C943 0_2_0042C943
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00468A39 0_2_00468A39
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00469BB7 0_2_00469BB7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043DDBF 0_2_0043DDBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00468F8A 0_2_00468F8A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00433F93 0_2_00433F93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041A609 1_2_0041A609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041B787 1_2_0041B787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041AB5A 1_2_0041AB5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041CC70 1_2_0041CC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C124CF0 1_2_1C124CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C141C50 1_2_1C141C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11292D 1_2_1C11292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C279CC0 1_2_1C279CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1112A8 1_2_1C1112A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C112AA9 1_2_1C112AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C111C9E 1_2_1C111C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1C5940 1_2_1C1C5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C239A20 1_2_1C239A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C112018 1_2_1C112018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C279430 1_2_1C279430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11D4C0 1_2_1C11D4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1B9690 1_2_1C1B9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1CD6D0 1_2_1C1CD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C129000 1_2_1C129000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C235040 1_2_1C235040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C2ED209 1_2_1C2ED209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C113580 1_2_1C113580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1A53B0 1_2_1C1A53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C138D2A 1_2_1C138D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C14CE10 1_2_1C14CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11C800 1_2_1C11C800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C111EF1 1_2_1C111EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C214A60 1_2_1C214A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C250480 1_2_1C250480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C138680 1_2_1C138680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C138763 1_2_1C138763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C174760 1_2_1C174760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1A8760 1_2_1C1A8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C238030 1_2_1C238030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C190090 1_2_1C190090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C198120 1_2_1C198120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C113AB2 1_2_1C113AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11290A 1_2_1C11290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C147810 1_2_1C147810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11251D 1_2_1C11251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C13BAB0 1_2_1C13BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11F160 1_2_1C11F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11174E 1_2_1C11174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C143370 1_2_1C143370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1119DD 1_2_1C1119DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C2EAEBE 1_2_1C2EAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C156E80 1_2_1C156E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C172EE0 1_2_1C172EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C24E800 1_2_1C24E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C113E3B 1_2_1C113E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11481D 1_2_1C11481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C22A900 1_2_1C22A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C20A940 1_2_1C20A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1F69C0 1_2_1C1F69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11AA40 1_2_1C11AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11EA80 1_2_1C11EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1147AF 1_2_1C1147AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C13A560 1_2_1C13A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C20A590 1_2_1C20A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1266C0 1_2_1C1266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C19A0B0 1_2_1C19A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C11209F 1_2_1C11209F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00426AC0 appears 48 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00464F22 appears 92 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C111C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C2F06B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00416AF2 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C11415B appears 173 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C11395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C113AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C111F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040249B appears 311 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 312
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.file.exe.44f030.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.420000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.44f030.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000001.00000002.3277978801.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: file.exe Static PE information: Section: .Right ZLIB complexity 0.9970576298701299
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/17@1/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040EDA7 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_0040EDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040F1A8 CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString, 1_2_0040F1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199680449169[1].htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess728
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7fb6fa62-5f96-47b1-a1c3-d28a18a3fb13 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: HDGCFHIDAKECFHIEBFCG.1.dr, IDHIIJJJKEGIDGCBAFIJ.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe Virustotal: Detection: 38%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 312
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3279637275.00000000163BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3283625258.000000001C328000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0041608F
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .Right
Source: sqlx[1].dll.1.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044606D push esi; ret 0_2_00446076
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004660E5 push ecx; ret 0_2_004660F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042620B push ecx; ret 0_2_0042621E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00417CB5 push ecx; ret 1_2_00417CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C111BF9 push ecx; ret 1_2_1C2B4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1110C8 push ecx; ret 1_2_1C313552
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0041608F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2888, type: MEMORYSTR
Country aware sample found (crashes after keyboard check)
Source: c:\users\user\desktop\file.exe Event Logs and Signature results: Application crash and keyboard check
Found evasive API chain (may stop execution after checking computer name)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetComputerName,DecisionNodes,Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, RegAsm.exe Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000001.00000002.3277978801.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 1.6 %
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040E76B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040E87Eh 1_2_0040E76B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00439DD6 FindFirstFileExW, 0_2_00439DD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 1_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_00414960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose, 1_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 1_2_0041433D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040E907 GetSystemInfo,wsprintfA, 1_2_0040E907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: KECGHIJD.1.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: KECGHIJD.1.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RegAsm.exe, 00000001.00000002.3278996019.0000000003815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware?
Source: KECGHIJD.1.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000001.00000002.3278458435.0000000001264000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3278458435.00000000011EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: KECGHIJD.1.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: KECGHIJD.1.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: KECGHIJD.1.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: KECGHIJD.1.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: KECGHIJD.1.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: KECGHIJD.1.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: KECGHIJD.1.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000001.00000002.3278996019.0000000003815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: KECGHIJD.1.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: KECGHIJD.1.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: KECGHIJD.1.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KECGHIJD.1.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: KECGHIJD.1.dr Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: KECGHIJD.1.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KECGHIJD.1.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: KECGHIJD.1.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: KECGHIJD.1.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: KECGHIJD.1.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: KECGHIJD.1.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: KECGHIJD.1.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: KECGHIJD.1.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KECGHIJD.1.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: KECGHIJD.1.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: KECGHIJD.1.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: KECGHIJD.1.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: KECGHIJD.1.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: KECGHIJD.1.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KECGHIJD.1.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: KECGHIJD.1.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042A7D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0042A7D3
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0041608F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00464103 mov eax, dword ptr fs:[00000030h] 0_2_00464103
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00430A50 mov ecx, dword ptr fs:[00000030h] 0_2_00430A50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043AF51 mov eax, dword ptr fs:[00000030h] 0_2_0043AF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00415CD3 mov eax, dword ptr fs:[00000030h] 1_2_00415CD3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043D550 GetProcessHeap, 0_2_0043D550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042A7D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0042A7D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00426896 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00426896
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004269F2 SetUnhandledExceptionFilter, 0_2_004269F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00426B0A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00426B0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00419387 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00419387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00417E5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00417E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041CF18 SetUnhandledExceptionFilter, 1_2_0041CF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C112C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_1C112C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1142AF SetUnhandledExceptionFilter, 1_2_1C1142AF

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040FC40 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_0040FC40
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FCA008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044F430 cpuid 0_2_0044F430
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0043D119
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_0043D21F
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0043D2EE
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0043467D
Source: C:\Users\user\Desktop\file.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_0043C98A
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00434BA3
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0043CC77
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0043CC2C
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0043CD12
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0043CD9D
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_0043CFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 1_2_0040E76B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 1_2_1C112112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 1_2_1C112112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 1_2_1C2EFF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 1_2_1C11298C
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00426790 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00426790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040E651 GetProcessHeap,HeapAlloc,GetUserNameA, 1_2_0040E651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0040E718 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 1_2_0040E718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000001.00000002.3278458435.00000000011EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.44f030.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44f030.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.3277978801.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2121740390.000000000044D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2888, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2888, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.44f030.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.44f030.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.3277978801.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2121740390.000000000044D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2888, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C125C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 1_2_1C125C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C18DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset, 1_2_1C18DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C191FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C191FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1B5910 sqlite3_mprintf,sqlite3_bind_int64, 1_2_1C1B5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C23D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 1_2_1C23D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C18DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 1_2_1C18DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C23D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log, 1_2_1C23D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C2314D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 1_2_1C2314D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1B55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C1B55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1ED610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C1ED610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1A9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf, 1_2_1C1A9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1B51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C1B51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1CD3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C1CD3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C148CB0 sqlite3_bind_zeroblob, 1_2_1C148CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1F4D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 1_2_1C1F4D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C140FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 1_2_1C140FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C124820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize, 1_2_1C124820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C148970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 1_2_1C148970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C148430 sqlite3_bind_int64, 1_2_1C148430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C168550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset, 1_2_1C168550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C138680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64, 1_2_1C138680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1606E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 1_2_1C1606E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1F4140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 1_2_1C1F4140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C188200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 1_2_1C188200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C147810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 1_2_1C147810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C13B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64, 1_2_1C13B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1D3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C1D3770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1F37E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C1F37E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C16EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 1_2_1C16EF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C1266C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 1_2_1C1266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C18A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, 1_2_1C18A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C17E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 1_2_1C17E090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C18E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 1_2_1C18E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_1C17E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 1_2_1C17E200
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435128 Sample: file.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 19 steamcommunity.com 2->19 25 Multi AV Scanner detection for domain / URL 2->25 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 8 other signatures 2->31 7 file.exe 2->7         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Injects a PE file into a foreign processes 7->37 10 RegAsm.exe 30 7->10         started        15 WerFault.exe 19 16 7->15         started        process6 dnsIp7 21 95.217.245.42, 49707, 49714, 49715 HETZNER-ASDE Germany 10->21 23 steamcommunity.com 184.87.56.26, 443, 49705 AKAMAI-ASUS United States 10->23 17 C:\Users\user\AppData\Local\...\sqlx[1].dll, PE32 10->17 dropped 39 Found evasive API chain (may stop execution after checking computer name) 10->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->41 43 Tries to harvest and steal browser information (history, passwords, etc) 10->43 45 Searches for specific processes (likely to inject) 10->45 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.217.245.42
 unknown Germany
24940 HETZNER-ASDE false
184.87.56.26
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Contacted Domains

Name IP Active
steamcommunity.com 184.87.56.26 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199680449169 false
    		high