Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1435613
MD5: 1a6b4d357d1b8bab80524e40be1b2698
SHA1: 70961ace92a0ebfdb38ae27a22181fb5a4f7d440
SHA256: 09ad84f8dde519aa02e92ffce896f55271105ceaab7e0f0a1f1ca9fee90650ff
Tags: exe
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking computer name)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00406252 CryptUnprotectData,LocalAlloc,LocalFree, 2_2_00406252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004061EF CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 2_2_004061EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040825F memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat, 2_2_0040825F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402420 memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA, 2_2_00402420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040F82E CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 2_2_0040F82E
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E08F67 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00E08F67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 2_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 2_2_00414960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose, 2_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 2_2_0041433D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199680449169
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 95.217.245.42:9000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 95.217.245.42 95.217.245.42
Source: Joe Sandbox View IP Address: 104.105.90.131 104.105.90.131
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00404165 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_00404165
Source: global traffic HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.co equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866748482.000000001C2DD000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42/
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://95.217.245.42:9000
Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/0ea2osoft
Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/B
Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/J
Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/Z
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/freebl3.dllEdge
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dllEdge
Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dllt
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/msvcp140.dlldge
Source: RegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dll
Source: RegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dll)))
Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dllD
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dllft
Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/r
Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/softokn3.dlldge
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/sqlx.dll
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll_7)
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllser
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllw=
Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/z
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:900090ea2le
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000606000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000acrosoft
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000el
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000ing
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000l
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000vcruntime140.dllUser
Source: BKKFHIEG.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: BKKFHIEG.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BKKFHIEG.2.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BKKFHIEG.2.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&a
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqw
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_Vry
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&l=e
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BKKFHIEG.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BKKFHIEG.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BKKFHIEG.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://help.steampowered.com/en/
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.co
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/X
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, CGDGCFBA.2.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: CGDGCFBA.2.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, CGDGCFBA.2.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: CGDGCFBA.2.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, file.exe, 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/r1g1o
Source: BKKFHIEG.2.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: BKKFHIEG.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=T
Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.4:49730 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040FD7F _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 2_2_0040FD7F

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E3B0B0 0_2_00E3B0B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E394EB 0_2_00E394EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E03663 0_2_00E03663
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E38A49 0_2_00E38A49
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E39BC7 0_2_00E39BC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E0CD80 0_2_00E0CD80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DFEEF0 0_2_00DFEEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DFBE7D 0_2_00DFBE7D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E38F9A 0_2_00E38F9A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E03F4F 0_2_00E03F4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041A609 2_2_0041A609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041B787 2_2_0041B787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041AB5A 2_2_0041AB5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CC70 2_2_0041CC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0A4CF0 2_2_1C0A4CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09292D 2_2_1C09292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1F9CC0 2_2_1C1F9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C092AA9 2_2_1C092AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0912A8 2_2_1C0912A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C091C9E 2_2_1C091C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C145940 2_2_1C145940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C092018 2_2_1C092018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1B9A20 2_2_1C1B9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1F9430 2_2_1C1F9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C139690 2_2_1C139690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C14D6D0 2_2_1C14D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0A9000 2_2_1C0A9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1B5040 2_2_1C1B5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C26D209 2_2_1C26D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1253B0 2_2_1C1253B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C093580 2_2_1C093580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0B8D2A 2_2_1C0B8D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C091EF1 2_2_1C091EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C194A60 2_2_1C194A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1D0480 2_2_1C1D0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0B8680 2_2_1C0B8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0B8763 2_2_1C0B8763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0F4760 2_2_1C0F4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C128760 2_2_1C128760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1B8030 2_2_1C1B8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C110090 2_2_1C110090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C118120 2_2_1C118120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C093AB2 2_2_1C093AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09290A 2_2_1C09290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09251D 2_2_1C09251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0BBAB0 2_2_1C0BBAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09F160 2_2_1C09F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09174E 2_2_1C09174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0C3370 2_2_1C0C3370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0919DD 2_2_1C0919DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0D6E80 2_2_1C0D6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C26AEBE 2_2_1C26AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0F2EE0 2_2_1C0F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1CE800 2_2_1C1CE800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C093E3B 2_2_1C093E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09481D 2_2_1C09481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1AA900 2_2_1C1AA900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C18A940 2_2_1C18A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1769C0 2_2_1C1769C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09AA40 2_2_1C09AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09EA80 2_2_1C09EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0947AF 2_2_1C0947AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0BA560 2_2_1C0BA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C18A590 2_2_1C18A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0A66C0 2_2_1C0A66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C11A0B0 2_2_1C11A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C09209F 2_2_1C09209F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00DF6C10 appears 49 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00E34F32 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00416AF2 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C091F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C093AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C09395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C091C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C09415B appears 133 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040249B appears 311 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1C2706B1 appears 36 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: file.exe Static PE information: Section: .Left ZLIB complexity 0.9971438717532467
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/10@1/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040EDA7 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 2_2_0040EDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040F1A8 CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString, 2_2_0040F1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0041608F
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .Left
Source: sqlx[1].dll.2.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E360F5 push ecx; ret 0_2_00E36108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E1EBE5 push cs; ret 0_2_00E1EBE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E1EBAF push cs; ret 0_2_00E1EBB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E1EC2B push cs; ret 0_2_00E1EC2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DF5F0D push ecx; ret 0_2_00DF5F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00417CB5 push ecx; ret 2_2_00417CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C091BF9 push ecx; ret 2_2_1C234C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0910C8 push ecx; ret 2_2_1C293552
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0041608F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR
Found evasive API chain (may stop execution after checking computer name)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetComputerName,DecisionNodes,Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, RegAsm.exe Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 9.4 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E76B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040E87Eh 2_2_0040E76B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E08F67 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00E08F67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 2_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 2_2_00414960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose, 2_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 2_2_0041433D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E907 GetSystemInfo,wsprintfA, 2_2_0040E907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2862621914.00000000012D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001393000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001310000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DFA723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DFA723
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0041608F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E0A031 mov eax, dword ptr fs:[00000030h] 0_2_00E0A031
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E001B7 mov ecx, dword ptr fs:[00000030h] 0_2_00E001B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E34113 mov eax, dword ptr fs:[00000030h] 0_2_00E34113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415CD3 mov eax, dword ptr fs:[00000030h] 2_2_00415CD3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E0C630 GetProcessHeap, 0_2_00E0C630
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DF66E5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00DF66E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DFA723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DFA723
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DF69EF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DF69EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DF6B4B SetUnhandledExceptionFilter, 0_2_00DF6B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419387 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00419387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00417E5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00417E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CF18 SetUnhandledExceptionFilter, 2_2_0041CF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C092C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1C092C8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0942AF SetUnhandledExceptionFilter, 2_2_1C0942AF

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040FC40 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 2_2_0040FC40
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E0B008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DF64CC cpuid 0_2_00DF64CC
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00E0C0D0
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00E05032
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00E0C1F9
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00E0C2FF
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E0C3CE
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00E05558
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00E0BDF2
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00E0BD57
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00E0BD0C
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E0BE7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 2_2_0040E76B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 2_2_1C092112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 2_2_1C092112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1C26FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_1C093AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_1C283300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1C282CB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1C282D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1C282DF9
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DF68E2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00DF68E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E651 GetProcessHeap,HeapAlloc,GetUserNameA, 2_2_0040E651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E718 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 2_2_0040E718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001310000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0A5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_1C0A5C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C10DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset, 2_2_1C10DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C111FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C111FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C135910 sqlite3_mprintf,sqlite3_bind_int64, 2_2_1C135910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1BD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1C1BD9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C10DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_1C10DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1B14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1C1B14D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1BD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1C1BD4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1355B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C1355B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C16D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C16D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C129090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf, 2_2_1C129090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1351D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C1351D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C14D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C14D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C174D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_1C174D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0C0FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_1C0C0FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0A4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize, 2_2_1C0A4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0E8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset, 2_2_1C0E8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0B8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64, 2_2_1C0B8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0E06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 2_2_1C0E06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C108200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 2_2_1C108200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0BB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64, 2_2_1C0BB400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C153770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C153770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C1737E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C1737E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0EEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 2_2_1C0EEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0A66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_1C0A66C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C10A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, 2_2_1C10A6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0FE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_1C0FE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C10E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1C10E170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1C0FE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 2_2_1C0FE200
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435613 Sample: file.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 19 steamcommunity.com 2->19 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 6 other signatures 2->31 7 file.exe 1 2->7         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Injects a PE file into a foreign processes 7->37 10 RegAsm.exe 29 7->10         started        15 conhost.exe 7->15         started        process6 dnsIp7 21 95.217.245.42, 49731, 49733, 49734 HETZNER-ASDE Germany 10->21 23 steamcommunity.com 104.105.90.131, 443, 49730 AKAMAI-ASUS United States 10->23 17 C:\Users\user\AppData\Local\...\sqlx[1].dll, PE32 10->17 dropped 39 Found evasive API chain (may stop execution after checking computer name) 10->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->41 43 Tries to harvest and steal browser information (history, passwords, etc) 10->43 45 Searches for specific processes (likely to inject) 10->45 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.217.245.42
 unknown Germany
24940 HETZNER-ASDE false
104.105.90.131
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Contacted Domains

Name IP Active
steamcommunity.com 104.105.90.131 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199680449169 false
    		high