Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1435613
MD5:1a6b4d357d1b8bab80524e40be1b2698
SHA1:70961ace92a0ebfdb38ae27a22181fb5a4f7d440
SHA256:09ad84f8dde519aa02e92ffce896f55271105ceaab7e0f0a1f1ca9fee90650ff
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking computer name)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1A6B4D357D1B8BAB80524E40BE1B2698)
    • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 416 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
    • 0x201f8:$s1: JohnDoe
    • 0x2ef80:$s1: JohnDoe
    • 0x201f0:$s2: HAL9TH
    00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      Process Memory Space: file.exe PID: 6608JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Process Memory Space: RegAsm.exe PID: 416JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.e1f040.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0.2.file.exe.e1f040.1.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
            • 0x1e7f8:$s1: JohnDoe
            • 0x1e7f0:$s2: HAL9TH
            0.2.file.exe.e1f040.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.2.file.exe.e1f040.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x1f3f8:$s1: JohnDoe
              • 0x1f3f0:$s2: HAL9TH
              2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "03cea2609023d13f145ac6c5dc897112", "Version": "9.3"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 39%
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406252 CryptUnprotectData,LocalAlloc,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004061EF CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040825F memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402420 memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040F82E CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E08F67 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199680449169
                Source: global trafficTCP traffic: 192.168.2.4:49731 -> 95.217.245.42:9000
                Source: global trafficHTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 95.217.245.42 95.217.245.42
                Source: Joe Sandbox ViewIP Address: 104.105.90.131 104.105.90.131
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: unknownTCP traffic detected without corresponding DNS query: 95.217.245.42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00404165 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                Source: global trafficHTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.co equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866748482.000000001C2DD000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42/
                Source: 76561199680449169[1].htm.2.drString found in binary or memory: https://95.217.245.42:9000
                Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/0ea2osoft
                Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/B
                Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/J
                Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/Z
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/freebl3.dll
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/freebl3.dllEdge
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/mozglue.dll
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/mozglue.dllEdge
                Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/mozglue.dllt
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/msvcp140.dll
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/msvcp140.dlldge
                Source: RegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/nss3.dll
                Source: RegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/nss3.dll)))
                Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/nss3.dllD
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/nss3.dllft
                Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/r
                Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/softokn3.dll
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/softokn3.dlldge
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/sqlx.dll
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/vcruntime140.dll_7)
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllser
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/vcruntime140.dllw=
                Source: RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000/z
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:900090ea2le
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000606000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000acrosoft
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000el
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000ing
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000l
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.245.42:9000vcruntime140.dllUser
                Source: BKKFHIEG.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: 76561199680449169[1].htm.2.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
                Source: BKKFHIEG.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: BKKFHIEG.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: BKKFHIEG.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&a
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqw
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_Vry
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&l=e
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                Source: 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                Source: BKKFHIEG.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: BKKFHIEG.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: BKKFHIEG.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.co
                Source: 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/X
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: file.exe, file.exe, 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
                Source: 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
                Source: 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/legal/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, CGDGCFBA.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: CGDGCFBA.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, CGDGCFBA.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: CGDGCFBA.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                Source: file.exe, file.exe, 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/r1g1o
                Source: BKKFHIEG.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: BKKFHIEG.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=T
                Source: RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownHTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FD7F _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3B0B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E394EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E03663
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E38A49
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39BC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0CD80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFEEF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFBE7D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E38F9A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E03F4F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041A609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041B787
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041AB5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CC70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0A4CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09292D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1F9CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C092AA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0912A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C091C9E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C145940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C092018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1B9A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1F9430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C139690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C14D6D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0A9000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1B5040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C26D209
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1253B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C093580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0B8D2A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C091EF1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C194A60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1D0480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0B8680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0B8763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0F4760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C128760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1B8030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C110090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C118120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C093AB2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09290A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09251D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0BBAB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09F160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09174E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0C3370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0919DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0D6E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C26AEBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0F2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1CE800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C093E3B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09481D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1AA900
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C18A940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1769C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09AA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0947AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0BA560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C18A590
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0A66C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C11A0B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C09209F
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00DF6C10 appears 49 times
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E34F32 appears 98 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416AF2 appears 98 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1C091F5A appears 31 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1C093AF3 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1C09395E appears 78 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1C091C2B appears 47 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1C09415B appears 133 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0040249B appears 311 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1C2706B1 appears 36 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: file.exeStatic PE information: Section: .Left ZLIB complexity 0.9971438717532467
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/10@1/2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040EDA7 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040F1A8 CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htmJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                Source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                Source: file.exeReversingLabs: Detection: 39%
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptnet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cabinet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866592899.000000001C2A8000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: file.exeStatic PE information: section name: .Left
                Source: sqlx[1].dll.2.drStatic PE information: section name: .00cfg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E360F5 push ecx; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1EBE5 push cs; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1EBAF push cs; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1EC2B push cs; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF5F0D push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417CB5 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C091BF9 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0910C8 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR
                Found evasive API chain (may stop execution after checking computer name)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: GetComputerName,DecisionNodes,Sleep
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: file.exe, RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                Source: file.exe, RegAsm.exeBinary or memory string: SBIEDLL.DLL
                Source: file.exe, RegAsm.exeBinary or memory string: API_LOG.DLL
                Source: RegAsm.exe, 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                Source: C:\Users\user\Desktop\file.exeAPI coverage: 9.4 %
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040E76B GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040E87Eh
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E08F67 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040BDAF _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004011D9 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004093C1 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004145BC _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004097DC _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00414960 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00414CC7 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409E01 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00413F80 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041433D _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040E907 GetSystemInfo,wsprintfA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                Source: RegAsm.exe, 00000002.00000002.2862621914.00000000012D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001393000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001310000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFA723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041608F GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0A031 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E001B7 mov ecx, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34113 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415CD3 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0C630 GetProcessHeap,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF66E5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFA723 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF69EF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF6B4B SetUnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419387 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417E5F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CF18 SetUnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C092C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0942AF SetUnhandledExceptionFilter,

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                Searches for specific processes (likely to inject)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FC40 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 420000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E0B008
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF64CC cpuid
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF68E2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040E651 GetProcessHeap,HeapAlloc,GetUserNameA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040E718 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: RegAsm.exe, 00000002.00000002.2862662158.0000000001310000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Vidar stealer
                Source: Yara matchFile source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6608, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Vidar stealer
                Source: Yara matchFile source: 0.2.file.exe.e1f040.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.e1f040.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.df0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6608, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 416, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0A5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C10DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C111FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C135910 sqlite3_mprintf,sqlite3_bind_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1BD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C10DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1B14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1BD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1355B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C16D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C129090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1351D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C14D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C174D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0C0FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0A4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0E8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0B8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0E06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C108200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0BB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C153770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C1737E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0EEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0A66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C10A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0FE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C10E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1C0FE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		411
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		411
                Process Injection                		LSASS Memory141
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager12
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                Account Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Software Packing                		LSA Secrets1
                System Owner/User Discovery                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials3
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync154
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe39%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraHEUR/AGEN.1317595
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://recaptcha.net0%URL Reputationsafe
                https://www.gstatic.cn/recaptcha/0%Avira URL Cloudsafe
                https://95.217.245.42:9000/r0%Avira URL Cloudsafe
                https://95.217.245.42:9000/mozglue.dll0%Avira URL Cloudsafe
                https://95.217.245.42:9000/z0%Avira URL Cloudsafe
                https://95.217.245.42:9000/msvcp140.dlldge0%Avira URL Cloudsafe
                https://95.217.245.42:9000/nss3.dll)))0%Avira URL Cloudsafe
                https://95.217.245.42:90000%Avira URL Cloudsafe
                https://95.217.245.42:9000l0%Avira URL Cloudsafe
                https://95.217.245.42:9000/nss3.dllD0%Avira URL Cloudsafe
                https://95.217.245.42:9000/nss3.dllft0%Avira URL Cloudsafe
                https://95.217.245.42:900090ea2le0%Avira URL Cloudsafe
                https://95.217.245.42/0%Avira URL Cloudsafe
                https://95.217.245.42:9000/softokn3.dll0%Avira URL Cloudsafe
                https://community.akamai.steamstatic0%Avira URL Cloudsafe
                https://95.217.245.42:9000/mozglue.dllt0%Avira URL Cloudsafe
                https://95.217.245.42:9000vcruntime140.dllUser0%Avira URL Cloudsafe
                https://95.217.245.42:9000/mozglue.dllEdge0%Avira URL Cloudsafe
                https://95.217.245.42:9000/softokn3.dlldge0%Avira URL Cloudsafe
                https://95.217.245.42:9000/0ea2osoft0%Avira URL Cloudsafe
                https://95.217.245.42:9000acrosoft0%Avira URL Cloudsafe
                https://95.217.245.42:9000/vcruntime140.dllser0%Avira URL Cloudsafe
                https://95.217.245.42:9000/nss3.dll0%Avira URL Cloudsafe
                https://95.217.245.42:9000/freebl3.dllEdge0%Avira URL Cloudsafe
                https://95.217.245.42:9000el0%Avira URL Cloudsafe
                https://95.217.245.42:9000/vcruntime140.dllw=0%Avira URL Cloudsafe
                https://95.217.245.42:9000/msvcp140.dll0%Avira URL Cloudsafe
                https://95.217.245.42:9000/J0%Avira URL Cloudsafe
                https://95.217.245.42:9000/vcruntime140.dll_7)0%Avira URL Cloudsafe
                https://95.217.245.42:9000/B0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		104.105.90.131
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://steamcommunity.com/profiles/76561199680449169false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabBKKFHIEG.2.drfalse
                      		high
                      https://duckduckgo.com/ac/?q=BKKFHIEG.2.drfalse
                        		high
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_VryRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                          		high
                          https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                            		high
                            https://95.217.245.42:9000/mozglue.dllRegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://95.217.245.42:9000/rRegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                              		high
                              https://www.gstatic.cn/recaptcha/RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                		high
                                https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=englRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                  		high
                                  https://95.217.245.42:9000/zRegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://95.217.245.42:9000/msvcp140.dlldgeRegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://95.217.245.42:900076561199680449169[1].htm.2.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                    		high
                                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                      		high
                                      https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                        		high
                                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                          		high
                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeRegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpfalse
                                            		high
                                            https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=englishRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                              		high
                                              https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                		high
                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                  		high
                                                  https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=englishRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                    		high
                                                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=enRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                      		high
                                                      https://95.217.245.42:9000lRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      https://95.217.245.42:9000/nss3.dllDRegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://95.217.245.42:9000/nss3.dll)))RegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                        		high
                                                        https://95.217.245.42:9000/ZRegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://95.217.245.42:9000/nss3.dllftRegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://95.217.245.42/RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://95.217.245.42:900090ea2leRegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                            		high
                                                            http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                              		high
                                                              https://95.217.245.42:9000/softokn3.dllRegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://store.steampowered.com/points/shop/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BKKFHIEG.2.drfalse
                                                                  		high
                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, CGDGCFBA.2.drfalse
                                                                    		high
                                                                    https://steamcommunity.com/profiles/76561199680449169/badgesRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                      		high
                                                                      https://www.ecosia.org/newtab/BKKFHIEG.2.drfalse
                                                                        		high
                                                                        https://www.youtube.com/RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199680449169[1].htm.2.drfalse
                                                                            		high
                                                                            https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                              		high
                                                                              https://steamcommunity.com/XRegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://95.217.245.42:9000vcruntime140.dllUserRegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                  		high
                                                                                  https://community.akamai.steamstaticRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://95.217.245.42:9000/mozglue.dlltRegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                    		high
                                                                                    https://www.google.com/recaptcha/RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://95.217.245.42:9000/mozglue.dllEdgeRegAsm.exe, 00000002.00000002.2862223964.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                        		high
                                                                                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                          		high
                                                                                          https://95.217.245.42:9000/softokn3.dlldgeRegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                            		high
                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesCGDGCFBA.2.drfalse
                                                                                              		high
                                                                                              https://www.valvesoftware.com/en/contact?contact-person=TRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                  		high
                                                                                                  https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                    		high
                                                                                                    https://95.217.245.42:9000/0ea2osoftRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://store.steampowered.com/about/76561199680449169[1].htm.2.drfalse
                                                                                                      		high
                                                                                                      https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                        		high
                                                                                                        https://95.217.245.42:9000acrosoftRegAsm.exe, 00000002.00000002.2862223964.0000000000606000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		low
                                                                                                        https://95.217.245.42:9000/vcruntime140.dllserRegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://help.steampowered.com/en/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                          		high
                                                                                                          https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://steamcommunity.com/market/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                              		high
                                                                                                              https://store.steampowered.com/news/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                		high
                                                                                                                https://community.akamai.steamstatic.com/RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqwRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                    		high
                                                                                                                    https://95.217.245.42:9000/nss3.dllRegAsm.exe, 00000002.00000002.2862938128.000000000156D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://95.217.245.42:9000/freebl3.dllEdgeRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://95.217.245.42:9000elRegAsm.exe, 00000002.00000002.2862223964.000000000056C000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		low
                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BKKFHIEG.2.drfalse
                                                                                                                      		high
                                                                                                                      http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                        		high
                                                                                                                        https://steamcommunity.com/login/home/?goto=profiles%2F7656119968044916976561199680449169[1].htm.2.drfalse
                                                                                                                          		high
                                                                                                                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                            		high
                                                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, CGDGCFBA.2.drfalse
                                                                                                                              		high
                                                                                                                              https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                		high
                                                                                                                                https://95.217.245.42:9000/vcruntime140.dllw=RegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://steamcommunity.com/discussions/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                  		high
                                                                                                                                  https://t.me/r1g1ofile.exe, file.exe, 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://store.steampowered.com/stats/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                      		high
                                                                                                                                      https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                        		high
                                                                                                                                        https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                          		high
                                                                                                                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallCGDGCFBA.2.drfalse
                                                                                                                                            		high
                                                                                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBKKFHIEG.2.drfalse
                                                                                                                                              		high
                                                                                                                                              https://95.217.245.42:9000/msvcp140.dllRegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://95.217.245.42:9000/vcruntime140.dll_7)RegAsm.exe, 00000002.00000002.2862223964.000000000052E000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://steamcommunity.com/workshop/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                                		high
                                                                                                                                                https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.sqlite.org/copyright.html.RegAsm.exe, 00000002.00000002.2863327466.000000001632F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2866748482.000000001C2DD000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://95.217.245.42:9000/BRegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&aRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvRegAsm.exe, 00000002.00000002.2862223964.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2862775596.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.2.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199680449169[1].htm.2.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoBKKFHIEG.2.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://95.217.245.42:9000/JRegAsm.exe, 00000002.00000002.2862953478.0000000001584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://recaptcha.netRegAsm.exe, 00000002.00000002.2862662158.0000000001374000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public IPs

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              95.217.245.42
                                                                                                                                                              		unknownGermany
                                                                                                                                                              		24940HETZNER-ASDEfalse
                                                                                                                                                              104.105.90.131
                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                              		16625AKAMAI-ASUSfalse

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                              Analysis ID:1435613
                                                                                                                                                              Start date and time:2024-05-02 23:45:04 +02:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 5m 30s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:light
                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                              Number of analysed new started processes analysed:7
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:file.exe
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@4/10@1/2
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 92%
                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                              • TCP Packets have been reduced to 100
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 72.21.81.240
                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                              • VT rate limit hit for: file.exe

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              23:45:56API Interceptor1x Sleep call for process: RegAsm.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              No context

                                                                                                                                                              Domains

                                                                                                                                                              No context

                                                                                                                                                              ASNs

                                                                                                                                                              No context

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              No context

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\ProgramData\BGDAAKJJ

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):126976
                                                                                                                                                              Entropy (8bit):0.47147045728725767
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                              MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                              SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                              SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                              SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\ProgramData\BKKFHIEG

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):106496
                                                                                                                                                              Entropy (8bit):1.1358696453229276
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                              MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                              SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                              SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                              SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\ProgramData\BKKFHIEGDHJKECAAKKEBAFIJKF

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):28672
                                                                                                                                                              Entropy (8bit):2.5793180405395284
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                              MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                              SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                              SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                              SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\ProgramData\CGDGCFBA

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):159744
                                                                                                                                                              Entropy (8bit):0.7873599747470391
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                              MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                              SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                              SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                              SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\ProgramData\CGHCGIID

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                              Category:modified
                                                                                                                                                              Size (bytes):114688
                                                                                                                                                              Entropy (8bit):0.9746603542602881
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\ProgramData\GIJECGDGCBKECAKFBGCA

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):49152
                                                                                                                                                              Entropy (8bit):0.8180424350137764
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                              MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                              SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                              SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                              SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):69993
                                                                                                                                                              Entropy (8bit):7.99584879649948
                                                                                                                                                              Encrypted:true
                                                                                                                                                              SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                                                                                                                                              MD5:29F65BA8E88C063813CC50A4EA544E93
                                                                                                                                                              SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                                                                                                                                              SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                                                                                                                                              SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                                                                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):330
                                                                                                                                                              Entropy (8bit):3.139206469813435
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:6:kKNE/lDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:FSlMkPlE99SNxAhUeVLVt
                                                                                                                                                              MD5:277583C13263F9525C5E77A13724E844
                                                                                                                                                              SHA1:D008CCD731B24CC241A47C8822E3F8080BADBF45
                                                                                                                                                              SHA-256:732D15B2D0D05C5DEBB686ACD7E3FEC42EA2BEC7324810A0F193D58D58294971
                                                                                                                                                              SHA-512:A4BC61FB46CCCFD78C578E920E280D99AAA4A8115B68FD988ADD081DA1878ED963A81B4C4D60BFC8E405F62D6EDDC1F3CBBEF5B8EAEA62EBB476D6B72927CDCD
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:p...... ..........B....(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htm

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):34791
                                                                                                                                                              Entropy (8bit):5.384005815680116
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:768:Xdpqm+0Ih3YAA9CWGEqfcDAGPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2D:Xd8m+0Ih3YAA9CWGEqFGPzzgiJmDzJtE
                                                                                                                                                              MD5:6C8C25D8CF07A6F37F1F9BEEA527C9B5
                                                                                                                                                              SHA1:66719A470CC1A8D6CB4006EBD7529CDD45B9B88B
                                                                                                                                                              SHA-256:63172A35E2CFC48D0E6AC7D77FAB89A36A0B68C8291F5F12F8C1F51ACFA2EF90
                                                                                                                                                              SHA-512:19E91008561919E873F2BA7744D88EEC2B03B8C8B5548161A243740C8B8D1568EFB3E2647B4453D8DAF086E9D7CBD7362B8F449ED0D9690E36CF53E49D1C1630
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: p__o https://95.217.245.42:9000|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<lin

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):2459136
                                                                                                                                                              Entropy (8bit):6.052474106868353
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                                                                                                              MD5:90E744829865D57082A7F452EDC90DE5
                                                                                                                                                              SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                                                                                                              SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                                                                                                              SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                                                                                                              Malicious:false
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                              Entropy (8bit):7.512784715951123
                                                                                                                                                              TrID:
                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                              File name:file.exe
                                                                                                                                                              File size:386'560 bytes
                                                                                                                                                              MD5:1a6b4d357d1b8bab80524e40be1b2698
                                                                                                                                                              SHA1:70961ace92a0ebfdb38ae27a22181fb5a4f7d440
                                                                                                                                                              SHA256:09ad84f8dde519aa02e92ffce896f55271105ceaab7e0f0a1f1ca9fee90650ff
                                                                                                                                                              SHA512:67484dcb04fc15b09b88679fd3ac860991cebe97c07a27bf9e425e8277def7f61d244690ee582c2be72d0dda3fa486b53382f3e3ad368602d176c5f72a77de67
                                                                                                                                                              SSDEEP:6144:NqW5NIK5m09C0h5t4mnNpZO+Ua2PsQxDnK6gDelK88JqeGq0DLt+7SHo:8W5NIYF4mnZO+Ua2zxDnKrZJqtHLt+mI
                                                                                                                                                              TLSH:1684E05571C1C072D57319360AF5E6B8AE7DB8700A629EEF67980F7E0F30282D2356A7
                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.+z?.E)?.E)?.E)..F(3.E)..@(..E)..A(*.E)..A(-.E)..F(+.E)..D(:.E)?.D)e.E)..@(r.E)..@(>.E)...)>.E)..G(>.E)Rich?.E)........PE..L..

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:90cececece8e8eb0

                                                                                                                                                              Static PE Info

                                                                                                                                                              General

                                                                                                                                                              Entrypoint:0x406239
                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                              Digitally signed:false
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              Subsystem:windows cui
                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                              Time Stamp:0x6634033C [Thu May 2 21:18:52 2024 UTC]
                                                                                                                                                              TLS Callbacks:
                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                              OS Version Major:6
                                                                                                                                                              OS Version Minor:0
                                                                                                                                                              File Version Major:6
                                                                                                                                                              File Version Minor:0
                                                                                                                                                              Subsystem Version Major:6
                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                              Import Hash:ab27116ad46b656bb5d70aa3050a97a2

                                                                                                                                                              Entrypoint Preview

                                                                                                                                                              Instruction
                                                                                                                                                              call 00007FF5BC8C82A6h
                                                                                                                                                              jmp 00007FF5BC8C7A29h
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              mov eax, dword ptr [ebp+08h]
                                                                                                                                                              push esi
                                                                                                                                                              mov ecx, dword ptr [eax+3Ch]
                                                                                                                                                              add ecx, eax
                                                                                                                                                              movzx eax, word ptr [ecx+14h]
                                                                                                                                                              lea edx, dword ptr [ecx+18h]
                                                                                                                                                              add edx, eax
                                                                                                                                                              movzx eax, word ptr [ecx+06h]
                                                                                                                                                              imul esi, eax, 28h
                                                                                                                                                              add esi, edx
                                                                                                                                                              cmp edx, esi
                                                                                                                                                              je 00007FF5BC8C7BCBh
                                                                                                                                                              mov ecx, dword ptr [ebp+0Ch]
                                                                                                                                                              cmp ecx, dword ptr [edx+0Ch]
                                                                                                                                                              jc 00007FF5BC8C7BBCh
                                                                                                                                                              mov eax, dword ptr [edx+08h]
                                                                                                                                                              add eax, dword ptr [edx+0Ch]
                                                                                                                                                              cmp ecx, eax
                                                                                                                                                              jc 00007FF5BC8C7BBEh
                                                                                                                                                              add edx, 28h
                                                                                                                                                              cmp edx, esi
                                                                                                                                                              jne 00007FF5BC8C7B9Ch
                                                                                                                                                              xor eax, eax
                                                                                                                                                              pop esi
                                                                                                                                                              pop ebp
                                                                                                                                                              ret
                                                                                                                                                              mov eax, edx
                                                                                                                                                              jmp 00007FF5BC8C7BABh
                                                                                                                                                              push esi
                                                                                                                                                              call 00007FF5BC8C857Dh
                                                                                                                                                              test eax, eax
                                                                                                                                                              je 00007FF5BC8C7BD2h
                                                                                                                                                              mov eax, dword ptr fs:[00000018h]
                                                                                                                                                              mov esi, 0042E254h
                                                                                                                                                              mov edx, dword ptr [eax+04h]
                                                                                                                                                              jmp 00007FF5BC8C7BB6h
                                                                                                                                                              cmp edx, eax
                                                                                                                                                              je 00007FF5BC8C7BC2h
                                                                                                                                                              xor eax, eax
                                                                                                                                                              mov ecx, edx
                                                                                                                                                              lock cmpxchg dword ptr [esi], ecx
                                                                                                                                                              test eax, eax
                                                                                                                                                              jne 00007FF5BC8C7BA2h
                                                                                                                                                              xor al, al
                                                                                                                                                              pop esi
                                                                                                                                                              ret
                                                                                                                                                              mov al, 01h
                                                                                                                                                              pop esi
                                                                                                                                                              ret
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              cmp dword ptr [ebp+08h], 00000000h
                                                                                                                                                              jne 00007FF5BC8C7BB9h
                                                                                                                                                              mov byte ptr [0042E258h], 00000001h
                                                                                                                                                              call 00007FF5BC8C7DB3h
                                                                                                                                                              call 00007FF5BC8CAB10h
                                                                                                                                                              test al, al
                                                                                                                                                              jne 00007FF5BC8C7BB6h
                                                                                                                                                              xor al, al
                                                                                                                                                              pop ebp
                                                                                                                                                              ret
                                                                                                                                                              call 00007FF5BC8D37B0h
                                                                                                                                                              test al, al
                                                                                                                                                              jne 00007FF5BC8C7BBCh
                                                                                                                                                              push 00000000h
                                                                                                                                                              call 00007FF5BC8CAB17h
                                                                                                                                                              pop ecx
                                                                                                                                                              jmp 00007FF5BC8C7B9Bh
                                                                                                                                                              mov al, 01h
                                                                                                                                                              pop ebp
                                                                                                                                                              ret
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              cmp byte ptr [0042E259h], 00000000h
                                                                                                                                                              je 00007FF5BC8C7BB6h
                                                                                                                                                              mov al, 01h

                                                                                                                                                              Data Directories

                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2c5fc0x3c.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x1e0.rsrc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x610000x1a60.reloc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x2aba80x1c.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2aae80x40.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x230000x140.rdata
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                              Sections

                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                              .text0x10000x2120f0x214000259f14c144706b277635ed1ab0291c1False0.5809592340225563data6.627111363402685IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                              .rdata0x230000x9d300x9e004ac3dfb1efdf79208f4c0db2bef44157False0.4347804588607595data4.959230681067143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .data0x2d0000x1d540x100096f6fc94400f9b3c80d126cafa6f2df3False0.190673828125data3.018020491461944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .Left0x2f0000x300ec0x30200b0ab413fbd3df6b5d08a9255fbc8df24False0.9971438717532467PGP Secret Sub-key -7.998283255850867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .rsrc0x600000x1e00x200b0719d9fb6f6593878cf5c523f13af07False0.52734375data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .reloc0x610000x1a600x1c00ffa018fa0ff6a602e133d892d6803856False0.7205636160714286data6.362035067940247IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                              Resources

                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                              RT_MANIFEST0x600600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                              Imports

                                                                                                                                                              DLLImport
                                                                                                                                                              USER32.dllOpenIcon
                                                                                                                                                              KERNEL32.dllLoadLibraryExW, CreateFileW, VirtualProtect, FreeConsole, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, HeapSize, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW

                                                                                                                                                              Possible Origin

                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                              EnglishUnited States

                                                                                                                                                              Network Behavior

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              May 2, 2024 23:45:49.704299927 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:49.704349041 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:49.704413891 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:49.710519075 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:49.710541964 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:49.898083925 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:49.898293018 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:49.945122004 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:49.945137024 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:49.945533037 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:49.945590019 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:49.949198008 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:49.992119074 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.249252081 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.249279022 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.249293089 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.249346972 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.249371052 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.249394894 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.249424934 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.335556984 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.335602045 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.335634947 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.335644007 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.335675001 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.335688114 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.351237059 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.351273060 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.351311922 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:50.351313114 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.351346970 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.351368904 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.351957083 CEST49730443192.168.2.4104.105.90.131
                                                                                                                                                              May 2, 2024 23:45:50.351970911 CEST44349730104.105.90.131192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:51.790647030 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:51.976289034 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:51.976366043 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:51.977089882 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:52.163177013 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:52.190546036 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:52.190625906 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:52.190629959 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:52.190674067 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:52.921133041 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.106533051 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:53.106658936 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.107150078 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.331017971 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:53.615655899 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:53.615739107 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.618604898 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.802699089 CEST90004973395.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:53.802788973 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.803042889 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.988917112 CEST90004973395.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:53.989061117 CEST90004973395.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:53.989150047 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.989566088 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:53.991019964 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.174280882 CEST90004973395.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:54.564471960 CEST90004973395.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:54.564537048 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.565793991 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.566137075 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.749483109 CEST90004973195.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:54.749510050 CEST90004973495.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:54.749568939 CEST497319000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.749615908 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.749953032 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.934305906 CEST90004973495.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:54.934443951 CEST90004973495.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:54.934499025 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.934794903 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:54.936314106 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:55.119627953 CEST90004973495.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:55.504204988 CEST90004973495.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:55.504230022 CEST90004973495.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:55.504267931 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:55.504306078 CEST497349000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.371469975 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.372379065 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.554893017 CEST90004973395.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:56.555012941 CEST497339000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.555460930 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:56.555520058 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.556166887 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.744177103 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:56.744196892 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:56.744282007 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.744632006 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.746522903 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:56.929640055 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:57.303774118 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:57.303793907 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:57.303855896 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:57.303872108 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:57.303911924 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:57.303925991 CEST90004973595.217.245.42192.168.2.4
                                                                                                                                                              May 2, 2024 23:45:57.303962946 CEST497359000192.168.2.495.217.245.42
                                                                                                                                                              May 2, 2024 23:45:57.303975105 CEST90004973595.217.245.42192.168.2.4

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              May 2, 2024 23:45:49.608931065 CEST5843753192.168.2.41.1.1.1
                                                                                                                                                              May 2, 2024 23:45:49.699968100 CEST53584371.1.1.1192.168.2.4

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                              May 2, 2024 23:45:49.608931065 CEST192.168.2.41.1.1.10xe974Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                              May 2, 2024 23:45:49.699968100 CEST1.1.1.1192.168.2.40xe974No error (0)steamcommunity.com104.105.90.131A (IP address)IN (0x0001)false

                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                              • steamcommunity.com

                                                                                                                                                              Statistics

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:23:45:47
                                                                                                                                                              Start date:02/05/2024
                                                                                                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                              Imagebase:0xdf0000
                                                                                                                                                              File size:386'560 bytes
                                                                                                                                                              MD5 hash:1A6B4D357D1B8BAB80524E40BE1B2698
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1607514385.0000000000E1D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:1
                                                                                                                                                              Start time:23:45:47
                                                                                                                                                              Start date:02/05/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:2
                                                                                                                                                              Start time:23:45:48
                                                                                                                                                              Start date:02/05/2024
                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                              Imagebase:0xc60000
                                                                                                                                                              File size:65'440 bytes
                                                                                                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.2862223964.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:false

                                                                                                                                                              Disassembly

                                                                                                                                                              No disassembly