Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1435958
MD5: 7fff271b63f7af3a9a59f068a6f8955f
SHA1: 67c0082192328a5c003efe6fd87e38802b95570d
SHA256: 48a6d2eb28127d8bc1623400f0b33ea5f51a7473ce3369a14e8b4a5f0d02bca4
Tags: exe
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking computer name)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.1626908949.000000000084D000.00000004.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
Multi AV Scanner detection for domain / URL
Source: https://95.217.245.42:9000 Virustotal: Detection: 11% Perma Link
Source: https://95.217.245.42:9000/sqlx.dll Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 27% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00406252 CryptUnprotectData,LocalAlloc,LocalFree, 2_2_00406252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004061EF CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 2_2_004061EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040825F memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat, 2_2_0040825F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402420 memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA, 2_2_00402420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040F82E CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 2_2_0040F82E
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 184.87.56.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00838F57 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00838F57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 2_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 2_2_00414960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose, 2_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 2_2_0041433D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199680449169
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 95.217.245.42:9000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 95.217.245.42 95.217.245.42
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: unknown TCP traffic detected without corresponding DNS query: 95.217.245.42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00404165 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_00404165
Source: global traffic HTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: 77EC63BDA74BD0D0E0426DC8F80085060.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab4
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en;
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900945500.000000001BDAD000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42/(
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://95.217.245.42:9000
Source: RegAsm.exe, 00000002.00000002.2894673197.0000000000E80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/
Source: RegAsm.exe, 00000002.00000002.2894928338.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/)
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/0ed9osoft
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/B
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/M
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/Pd
Source: RegAsm.exe, 00000002.00000002.2894623309.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/freebl3.dllEdge
Source: RegAsm.exe, 00000002.00000002.2894623309.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/freebl3.dllu
Source: RegAsm.exe, 00000002.00000002.2894623309.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000528000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dllEdge
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000528000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/mozglue.dllome
Source: RegAsm.exe, 00000002.00000002.2894623309.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.2894623309.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/msvcp140.dllz)l
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894928338.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dll
Source: RegAsm.exe, 00000002.00000002.2894928338.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/nss3.dll2
Source: RegAsm.exe, 00000002.00000002.2894623309.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2894623309.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/softokn3.dllh
Source: RegAsm.exe, 00000002.00000002.2894928338.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/sqlx.dll
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll4
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllUser
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllt
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000056C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000acrosoft
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000ing
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000056C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000l
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000052E000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://95.217.245.42:9000msvcp140.dll0_15_7)
Source: AKKEGHJD.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: AKKEGHJD.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AKKEGHJD.2.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AKKEGHJD.2.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8A
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=roSu
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&amp
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/r
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/toolt
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: AKKEGHJD.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AKKEGHJD.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AKKEGHJD.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://help.steampowered.com/en/
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, file.exe, 00000000.00000002.1626908949.000000000084D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2894211044.0000000000D74000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199680449169;C
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/tQ
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowere/(:
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/
Source: 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894211044.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000056C000.00000040.00000400.00020000.00000000.sdmp, KFIIJJJD.2.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: KFIIJJJD.2.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000056C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000056C000.00000040.00000400.00020000.00000000.sdmp, KFIIJJJD.2.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: KFIIJJJD.2.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2893637125.000000000056C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, file.exe, 00000000.00000002.1626908949.000000000084D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2893637125.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/r1g1o
Source: AKKEGHJD.2.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: AKKEGHJD.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000002.00000002.2894452308.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2893637125.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 76561199680449169[1].htm.2.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 184.87.56.26:443 -> 192.168.2.4:49730 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040FD7F _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 2_2_0040FD7F
Installs a raw input device (often for capturing keystrokes)
Source: file.exe, 00000000.00000000.1624347521.0000000000882000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: RegisterRawInputDevices memstr_7c4f0ce9-4

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.file.exe.84f038.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.84f038.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.820000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000002.00000002.2893637125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0086B0A8 0_2_0086B0A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008694E3 0_2_008694E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00833653 0_2_00833653
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00868A41 0_2_00868A41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00869BBF 0_2_00869BBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083CD70 0_2_0083CD70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082EEE0 0_2_0082EEE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082BE6D 0_2_0082BE6D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00868F92 0_2_00868F92
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00833F3F 0_2_00833F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041A609 2_2_0041A609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041B787 2_2_0041B787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041AB5A 2_2_0041AB5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CC70 2_2_0041CC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB74CF0 2_2_1BB74CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC89A20 2_2_1BC89A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB62018 2_2_1BB62018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC15940 2_2_1BC15940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB61C9E 2_2_1BB61C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB62AA9 2_2_1BB62AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB612A8 2_2_1BB612A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BCC9CC0 2_2_1BCC9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6292D 2_2_1BB6292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBF53B0 2_2_1BBF53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB63580 2_2_1BB63580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BD3D209 2_2_1BD3D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC85040 2_2_1BC85040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB79000 2_2_1BB79000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC1D6D0 2_2_1BC1D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC09690 2_2_1BC09690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BCC9430 2_2_1BCC9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC64A60 2_2_1BC64A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB61EF1 2_2_1BB61EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB88D2A 2_2_1BB88D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB63AB2 2_2_1BB63AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBE8120 2_2_1BBE8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBE0090 2_2_1BBE0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC88030 2_2_1BC88030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB88763 2_2_1BB88763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBC4760 2_2_1BBC4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBF8760 2_2_1BBF8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB88680 2_2_1BB88680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BCA0480 2_2_1BCA0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB8BAB0 2_2_1BB8BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6251D 2_2_1BB6251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6290A 2_2_1BB6290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB93370 2_2_1BB93370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6174E 2_2_1BB6174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6F160 2_2_1BB6F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6EA80 2_2_1BB6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6AA40 2_2_1BB6AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC469C0 2_2_1BC469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC5A940 2_2_1BC5A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC7A900 2_2_1BC7A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6481D 2_2_1BB6481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB63E3B 2_2_1BB63E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC9E800 2_2_1BC9E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBA6E80 2_2_1BBA6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBC2EE0 2_2_1BBC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BD3AEBE 2_2_1BD3AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB619DD 2_2_1BB619DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBEA0B0 2_2_1BBEA0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB6209F 2_2_1BB6209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB766C0 2_2_1BB766C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC5A590 2_2_1BC5A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB8A560 2_2_1BB8A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB647AF 2_2_1BB647AF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00864F2A appears 92 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00826A00 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1BB6395E appears 78 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00416AF2 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1BB61F5A appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1BB63AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1BB61C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1BB6415B appears 133 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 1BD406B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040249B appears 311 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.file.exe.84f038.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.84f038.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.820000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000002.00000002.2893637125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: file.exe Static PE information: Section: .Left ZLIB complexity 0.9971032873376623
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/11@1/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040EDA7 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 2_2_0040EDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040F1A8 CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString, 2_2_0040F1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.2895040896.00000000032E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards;0
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: DHJDAFIEHIEGDHIDGDGH.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe Virustotal: Detection: 27%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2900833620.000000001BD78000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2895552761.0000000015E0D000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0041608F
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .DAX
Source: file.exe Static PE information: section name: .Left
Source: file.exe Static PE information: section name: .INV
Source: sqlx[1].dll.2.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008660ED push ecx; ret 0_2_00866100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00826158 push ecx; ret 0_2_0082616B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00845F3D push esi; ret 0_2_00845F46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00417CB5 push ecx; ret 2_2_00417CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB61BF9 push ecx; ret 2_2_1BD04C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB610C8 push ecx; ret 2_2_1BD63552
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0041608F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5316, type: MEMORYSTR
Found evasive API chain (may stop execution after checking computer name)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetComputerName,DecisionNodes,Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, RegAsm.exe Binary or memory string: DIR_WATCH.DLL
Source: file.exe, RegAsm.exe Binary or memory string: SBIEDLL.DLL
Source: file.exe, RegAsm.exe Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 00000002.00000002.2893637125.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 5.2 %
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E76B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040E87Eh 2_2_0040E76B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00838F57 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00838F57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040BDAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 2_2_004011D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004093C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004145BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_004097DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 2_2_00414960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_00414CC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_00409E01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose, 2_2_00413F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 2_2_0041433D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E907 GetSystemInfo,wsprintfA, 2_2_0040E907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D1A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2894211044.0000000000D92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000002.00000002.2895040896.00000000032E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008267DD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008267DD
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0041608F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083A021 mov eax, dword ptr fs:[00000030h] 0_2_0083A021
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083010F mov ecx, dword ptr fs:[00000030h] 0_2_0083010F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0086410B mov eax, dword ptr fs:[00000030h] 0_2_0086410B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00415CD3 mov eax, dword ptr fs:[00000030h] 2_2_00415CD3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083C620 GetProcessHeap, 0_2_0083C620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008267DD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008267DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082A713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0082A713
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00826939 SetUnhandledExceptionFilter, 0_2_00826939
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00826A4A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00826A4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419387 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00419387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00417E5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00417E5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CF18 SetUnhandledExceptionFilter, 2_2_0041CF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB642AF SetUnhandledExceptionFilter, 2_2_1BB642AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB62C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1BB62C8E

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040FC40 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 2_2_0040FC40
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 896008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008264BC cpuid 0_2_008264BC
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_0083C0C0
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00835022
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0083C1E9
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_0083C2EF
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0083C3BE
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00835548
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0083BCFC
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0083BDE2
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0083BD47
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0083BE6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 2_2_0040E76B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 2_2_1BB62112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW, 2_2_1BB62112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1BD3FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_1BD53300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_1BB63AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1BD52DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1BD52D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesW, 2_2_1BD52CB6
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008266D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_008266D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E651 GetProcessHeap,HeapAlloc,GetUserNameA, 2_2_0040E651
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E718 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 2_2_0040E718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 00000002.00000002.2894211044.0000000000D1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.84f038.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.84f038.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2893637125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1626908949.000000000084D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5316, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5316, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.84f038.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.84f038.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2893637125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1626908949.000000000084D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5316, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBDDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_1BBDDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC8D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1BC8D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC05910 sqlite3_mprintf,sqlite3_bind_int64, 2_2_1BC05910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBE1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BBE1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBDDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset, 2_2_1BBDDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB75C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_1BB75C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC1D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BC1D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC051D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BC051D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBF9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf, 2_2_1BBF9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC3D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BC3D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC055B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BC055B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC814D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1BC814D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC8D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log, 2_2_1BC8D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB74820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize, 2_2_1BB74820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB90FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset, 2_2_1BB90FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC44D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 2_2_1BC44D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBD8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 2_2_1BBD8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB88680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64, 2_2_1BB88680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBB06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 2_2_1BBB06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBB8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset, 2_2_1BBB8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC437E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BC437E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BC23770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BC23770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB8B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64, 2_2_1BB8B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBBEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 2_2_1BBBEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBCE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 2_2_1BBCE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBDE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 2_2_1BBDE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBCE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_1BBCE090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BBDA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, 2_2_1BBDA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1BB766C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 2_2_1BB766C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435958 Sample: file.exe Startdate: 03/05/2024 Architecture: WINDOWS Score: 100 19 steamcommunity.com 2->19 21 bg.microsoft.map.fastly.net 2->21 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 7 other signatures 2->33 7 file.exe 2->7         started        signatures3 process4 signatures5 35 Writes to foreign memory regions 7->35 37 Allocates memory in foreign processes 7->37 39 Injects a PE file into a foreign processes 7->39 10 RegAsm.exe 29 7->10         started        15 RegAsm.exe 7->15         started        process6 dnsIp7 23 95.217.245.42, 49731, 49733, 49734 HETZNER-ASDE Germany 10->23 25 steamcommunity.com 184.87.56.26, 443, 49730 AKAMAI-ASUS United States 10->25 17 C:\Users\user\AppData\Local\...\sqlx[1].dll, PE32 10->17 dropped 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->41 43 Tries to harvest and steal browser information (history, passwords, etc) 10->43 45 Found evasive API chain (may stop execution after checking computer name) 15->45 47 Searches for specific processes (likely to inject) 15->47 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.217.245.42
 unknown Germany
24940 HETZNER-ASDE false
184.87.56.26
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
steamcommunity.com 184.87.56.26 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199680449169 false
    		high