Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1437185
MD5:b9773393891d9cc471cd58cac09052dd
SHA1:784a14954c7abca7d7e2e92c60b93557238426f4
SHA256:0a8357cb9a1d348d1c4b4ec101f2328fd43f976803bcc360525ced55fbb9aeaf
Tags:exe
Infos:

Detection

PureLog Stealer, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Vidar stealer
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3228 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B9773393891D9CC471CD58CAC09052DD)
    • RegAsm.exe (PID: 5816 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "ad7dbf02afc50b46afd33ddc12f41082", "Version": "9.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000000.00000000.1628578580.00000000009A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
          • 0x211f0:$s1: JohnDoe
          • 0x31f80:$s1: JohnDoe
          • 0x211e8:$s2: HAL9TH
          Process Memory Space: file.exe PID: 3228JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.file.exe.9a0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              1.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                1.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x211f0:$s1: JohnDoe
                • 0x31f80:$s1: JohnDoe
                • 0x211e8:$s2: HAL9TH
                0.2.file.exe.3d65570.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  0.2.file.exe.3d65570.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                  • 0x1fbf0:$s1: JohnDoe
                  • 0x1fbe8:$s2: HAL9TH
                  Click to see the 4 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199680449169"], "Botnet": "ad7dbf02afc50b46afd33ddc12f41082", "Version": "9.4"}
                  Multi AV Scanner detection for domain / URL
                  Source: https://65.108.152.56:9000/WVirustotal: Detection: 8%Perma Link
                  Source: https://65.108.152.56:9000/DVirustotal: Detection: 6%Perma Link
                  Source: https://65.108.152.56:9000/sqlx.dllgVirustotal: Detection: 8%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 63%
                  Source: file.exeVirustotal: Detection: 42%Perma Link
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004062F1 CryptUnprotectData,LocalAlloc,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040628E CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040832A memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040247E memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040FD97 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: NETCrypt.pdb source: file.exe
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040B700 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041531B _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00414462 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409531 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040994C _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00414B2E _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00414ED2 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409FBE _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004148AF _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199680449169
                  Source: global trafficTCP traffic: 192.168.2.4:49732 -> 65.108.152.56:9000
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 104.105.90.131 104.105.90.131
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.108.152.56
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004041D4 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199680449169 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                  Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                  Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                  Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: file.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                  Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                  Source: file.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000D9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: file.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: file.exeString found in binary or memory: http://ocsp.digicert.com0H
                  Source: file.exeString found in binary or memory: http://ocsp.digicert.com0I
                  Source: file.exeString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: file.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: RegAsm.exe, 00000001.00000002.2886655892.000000001B6DD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56/
                  Source: 76561199680449169[1].htm.1.drString found in binary or memory: https://65.108.152.56:9000
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/7
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/D
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/G
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/L~
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/W
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/dZ
                  Source: RegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/freebl3.dll
                  Source: RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/freebl3.dll4
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/freebl3.dllEdge
                  Source: RegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/mozglue.dll
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/mozglue.dllEdge
                  Source: RegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/msvcp140.dll
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/msvcp140.dlldge
                  Source: RegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/msvcp140.dllt
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/ng
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dll
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dllData
                  Source: RegAsm.exe, 00000001.00000002.2881415199.0000000000F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dllU
                  Source: RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dlldll
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/nss3.dllft
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/o
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/soft
                  Source: RegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/softokn3.dll
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/softokn3.dllessionKeyBackward
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000052F000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/sqlx.dll
                  Source: RegAsm.exe, 00000001.00000002.2881415199.0000000000F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/sqlx.dllg
                  Source: RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dll
                  Source: RegAsm.exe, 00000001.00000002.2881415199.0000000000F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dll9000/nss3.dll
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dllUser
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dll_7)
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000/vcruntime140.dllyp
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000KFicrosoft
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000e1a3fmium
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000el
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000ing
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000l
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000lGoogle
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.108.152.56:9000softokn3.dlldge
                  Source: IEHJJE.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 76561199680449169[1].htm.1.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: IEHJJE.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: IEHJJE.1.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: IEHJJE.1.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8A
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=roSu
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=sV4C07YVtT0V&amp
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
                  Source: 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/r
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/toolt
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
                  Source: IEHJJE.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: IEHJJE.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: IEHJJE.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://help.steampowered.com/en/
                  Source: 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/market/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: file.exe, 00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2880922498.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/badges
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/profiles/76561199680449169/inventory/
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/
                  Source: 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/about/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/explore/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/legal/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/mobile
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/news/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/stats/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.comv
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmp, HDBKJE.1.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: HDBKJE.1.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmp, HDBKJE.1.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: HDBKJE.1.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                  Source: file.exe, 00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/r1g1o
                  Source: file.exeString found in binary or memory: https://www.digicert.com/CPS0
                  Source: IEHJJE.1.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: IEHJJE.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownHTTPS traffic detected: 104.105.90.131:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004102E8 _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.3d65570.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.3d65570.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D20C38
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D20C28
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D2099F
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D209B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041B0AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041D1C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041AB59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041BCD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4A4CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B492018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5B9A20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B545940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B491C9E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B492AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4912A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49292D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5F9CC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5253B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B493580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B66D209
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5B5040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4A9000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B54D6D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B539690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5F9430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B594A60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B491EF1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4B8D2A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B493AB2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B518120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5B8030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B510090
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4B8763
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4F4760
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B528760
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4B8680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5D0480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4BBAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49251D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49290A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4C3370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49F160
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49174E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49AA40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49EA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B58A940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5AA900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5769C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B493E3B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5CE800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49481D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4F2EE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4D6E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B66AEBE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4919DD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B51A0B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B49209F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4A66C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4BA560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B58A590
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4947AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B49415B appears 133 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B491C2B appears 47 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024F9 appears 312 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B49395E appears 78 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B491F5A appears 31 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B493AF3 appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B6706B1 appears 36 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004170DA appears 98 times
                  Source: file.exeStatic PE information: invalid certificate
                  Source: file.exe, 00000000.00000002.1630251507.0000000000FEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                  Source: file.exe, 00000000.00000000.1628616143.00000000009F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNETCrypt.exe4 vs file.exe
                  Source: file.exeBinary or memory string: OriginalFilenameNETCrypt.exe4 vs file.exe
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.3d65570.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.3d65570.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/12@1/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040F310 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040F711 CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString,
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                  Source: KFIJEG.1.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: file.exeReversingLabs: Detection: 63%
                  Source: file.exeVirustotal: Detection: 42%
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: version.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptnet.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cabinet.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: NETCrypt.pdb source: file.exe
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.2886538230.000000001B6A8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: file.exe, gBMthepoZSL1ZVKpeA.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00416676 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: sqlx[1].dll.1.drStatic PE information: section name: .00cfg
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00418205 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B491BF9 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4910C8 push ecx; ret
                  Source: file.exeStatic PE information: section name: .text entropy: 7.421157543801175
                  Source: file.exe, eRtoUikQAUlfmrcXhP.csHigh entropy of concatenated method names: 'WKIpT6WRYP', 'GxIp0d0vl2', 'R3Ppdmg34A', 'iAsp1JjQqZ', 'yQwppAuByG', 'BT0pvkDekn', 'ENbpFei3CE', 'YlPUn7XuQH', 'Qsnpc1Onv9', 'jAdpZCXbre'
                  Source: file.exe, gBMthepoZSL1ZVKpeA.csHigh entropy of concatenated method names: 'reTlcDMFua', 'nW4lBacjpc', 'sMLlkdoJ60', 'I5LlJVOMeQ', 'qdll7OAZFb', 'QEmlZSRGOw', 'RegMCu0N1R', 'N15X2cY3J', 'NWNp5BRFs', 'Q59l6jZOT'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00416676 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5816, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                  Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                  Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                  Source: RegAsm.exe, 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: 2B30000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: 2D60000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: 2C80000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Users\user\Desktop\file.exe TID: 2196Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040ECD4 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040EDE7h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040B700 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041531B _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00414462 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409531 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040994C _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00414B2E _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00414ED2 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00409FBE _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004148AF _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040EE70 GetSystemInfo,wsprintfA,
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                  Source: RegAsm.exe, 00000001.00000002.2881580352.00000000031A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: RegAsm.exe, 00000001.00000002.2880922498.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: RegAsm.exe, 00000001.00000002.2881580352.00000000031A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarer
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004183AF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00416676 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004041D4 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004183AF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0041D468 SetUnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004198D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4942AF SetUnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B492C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D69741 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                  Searches for specific processes (likely to inject)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004101A9 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 421000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 878008
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040FB47 _EH_prolog,GetSystemTime,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040EBBA GetProcessHeap,HeapAlloc,GetUserNameA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040EC81 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: RegAsm.exe, 00000001.00000002.2881326562.0000000000E72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: file.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.file.exe.9a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1628578580.00000000009A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3d65570.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3d65570.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 3228, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5816, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5816, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: file.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.file.exe.9a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1628578580.00000000009A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3d65570.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.3d65570.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 3228, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5816, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B50DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B535910 sqlite3_mprintf,sqlite3_bind_int64,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5BD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B50DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B511FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4A5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B54D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5351D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B529090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B56D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5355B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5B14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5BD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4A4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4C0FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B574D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B508200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4E06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4B8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4E8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B553770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B5737E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4BB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4EEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4FE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B50E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4FE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B4A66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1B50A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts511
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS44
                  System Information Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets141
                  Security Software Discovery                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                  Virtualization/Sandbox Evasion                  		DCSync12
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job511
                  Process Injection                  		Proc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe63%ReversingLabsWin32.Trojan.Privateloader
                  file.exe42%VirustotalBrowse
                  file.exe100%AviraHEUR/AGEN.1323756
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll1%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  bg.microsoft.map.fastly.net0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://65.108.152.56:9000/nss3.dllData0%Avira URL Cloudsafe
                  https://65.108.152.56:90000%Avira URL Cloudsafe
                  https://65.108.152.56:9000/mozglue.dll0%Avira URL Cloudsafe
                  https://store.steampowered.comv0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/vcruntime140.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/nss3.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/nss3.dllft0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/softokn3.dllessionKeyBackward0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/nss3.dllU0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/freebl3.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000el0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/o0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/W0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/msvcp140.dllt0%Avira URL Cloudsafe
                  https://65.108.152.56:90000%VirustotalBrowse
                  https://65.108.152.56:9000/G0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/D0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/soft0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/softokn3.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000softokn3.dlldge0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/70%Avira URL Cloudsafe
                  https://65.108.152.56:9000/dZ0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/W9%VirustotalBrowse
                  https://65.108.152.56:9000/mozglue.dllEdge0%Avira URL Cloudsafe
                  https://65.108.152.56:9000ing0%Avira URL Cloudsafe
                  https://65.108.152.56/0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/sqlx.dllg0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/vcruntime140.dll_7)0%Avira URL Cloudsafe
                  https://65.108.152.56:9000lGoogle0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/0%VirustotalBrowse
                  https://65.108.152.56:9000/freebl3.dll40%Avira URL Cloudsafe
                  https://65.108.152.56:9000l0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/ng0%Avira URL Cloudsafe
                  https://65.108.152.56/0%VirustotalBrowse
                  https://65.108.152.56:9000/msvcp140.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/D7%VirustotalBrowse
                  https://65.108.152.56:9000e1a3fmium0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/L~0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/sqlx.dll0%Avira URL Cloudsafe
                  https://65.108.152.56:9000/sqlx.dllg9%VirustotalBrowse
                  https://65.108.152.56:9000/sqlx.dll4%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalseunknown
                  steamcommunity.com
                  		104.105.90.131
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://steamcommunity.com/profiles/76561199680449169false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabIEHJJE.1.drfalse
                        		high
                        https://duckduckgo.com/ac/?q=IEHJJE.1.drfalse
                          		high
                          https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                            		high
                            https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                              		high
                              https://store.steampowered.comvRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://65.108.152.56:9000/mozglue.dllRegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://65.108.152.56:900076561199680449169[1].htm.1.drfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                		high
                                https://65.108.152.56:9000/vcruntime140.dllRegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engliRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                  		high
                                  https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                    		high
                                    https://65.108.152.56:9000/nss3.dllDataRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpERegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                      		high
                                      http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                        		high
                                        https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=roSuRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                          		high
                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeRegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpfalse
                                            		high
                                            https://65.108.152.56:9000/nss3.dllRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://65.108.152.56:9000/nss3.dllftRegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                              		high
                                              https://65.108.152.56:9000/softokn3.dllessionKeyBackwardRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://65.108.152.56:9000/nss3.dllURegAsm.exe, 00000001.00000002.2881415199.0000000000F95000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://65.108.152.56:9000elRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                		high
                                                https://65.108.152.56:9000/freebl3.dllRegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                  		high
                                                  https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                    		high
                                                    http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                      		high
                                                      https://65.108.152.56:9000/oRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ARegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                        		high
                                                        https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                          		high
                                                          https://store.steampowered.com/points/shop/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                            		high
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=IEHJJE.1.drfalse
                                                              		high
                                                              https://65.108.152.56:9000/WRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • 9%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmp, HDBKJE.1.drfalse
                                                                		high
                                                                https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPKRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                  		high
                                                                  https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&ampRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                    		high
                                                                    https://steamcommunity.com/profiles/76561199680449169/badgesRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                      		high
                                                                      https://www.ecosia.org/newtab/IEHJJE.1.drfalse
                                                                        		high
                                                                        https://65.108.152.56:9000/msvcp140.dlltRegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                          		high
                                                                          https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                            		high
                                                                            https://65.108.152.56:9000/GRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://65.108.152.56:9000/DRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • 7%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                              		high
                                                                              https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                		high
                                                                                https://65.108.152.56:9000/softRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://65.108.152.56:9000/softokn3.dllRegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://65.108.152.56:9000softokn3.dlldgeRegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                  		high
                                                                                  https://65.108.152.56:9000/RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                  • 0%, Virustotal, Browse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://65.108.152.56:9000/7RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                    		high
                                                                                    https://65.108.152.56:9000/dZRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://65.108.152.56:9000/mozglue.dllEdgeRegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesHDBKJE.1.drfalse
                                                                                      		high
                                                                                      https://65.108.152.56:9000ingRegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		low
                                                                                      https://store.steampowered.com/about/76561199680449169[1].htm.1.drfalse
                                                                                        		high
                                                                                        https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                          		high
                                                                                          https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                            		high
                                                                                            https://65.108.152.56/RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • 0%, Virustotal, Browse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://65.108.152.56:9000/sqlx.dllgRegAsm.exe, 00000001.00000002.2881415199.0000000000F95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • 9%, Virustotal, Browse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://65.108.152.56:9000/vcruntime140.dll_7)RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://help.steampowered.com/en/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                              		high
                                                                                              https://steamcommunity.com/market/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                		high
                                                                                                https://store.steampowered.com/news/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                  		high
                                                                                                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englisRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                      		high
                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=IEHJJE.1.drfalse
                                                                                                        		high
                                                                                                        http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                          		high
                                                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F7656119968044916976561199680449169[1].htm.1.drfalse
                                                                                                            		high
                                                                                                            https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                              		high
                                                                                                              https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                		high
                                                                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegAsm.exe, 00000001.00000002.2880201060.0000000000573000.00000040.00000400.00020000.00000000.sdmp, HDBKJE.1.drfalse
                                                                                                                  		high
                                                                                                                  https://steamcommunity.com/discussions/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                    		high
                                                                                                                    https://t.me/r1g1ofile.exe, 00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://store.steampowered.com/stats/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                        		high
                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampRegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                          		high
                                                                                                                          https://65.108.152.56:9000lGoogleRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		low
                                                                                                                          https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                            		high
                                                                                                                            https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                              		high
                                                                                                                              https://65.108.152.56:9000/freebl3.dll4RegAsm.exe, 00000001.00000002.2881326562.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                                		high
                                                                                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallHDBKJE.1.drfalse
                                                                                                                                  		high
                                                                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchIEHJJE.1.drfalse
                                                                                                                                    		high
                                                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                                      		high
                                                                                                                                      https://65.108.152.56:9000lRegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		low
                                                                                                                                      https://65.108.152.56:9000/ngRegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://65.108.152.56:9000/msvcp140.dllRegAsm.exe, 00000001.00000002.2881273063.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880201060.0000000000535000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://65.108.152.56:9000e1a3fmiumRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		low
                                                                                                                                      https://steamcommunity.com/workshop/RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                                        		high
                                                                                                                                        https://store.steampowered.com/legal/RegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                                          		high
                                                                                                                                          https://65.108.152.56:9000/L~RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://community.cloudflare.steamstatic.com/public/shared/images/rRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.sqlite.org/copyright.html.RegAsm.exe, 00000001.00000002.2886655892.000000001B6DD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2882085104.0000000015737000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.1.drfalse
                                                                                                                                              		high
                                                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=englRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                                                		high
                                                                                                                                                https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=76561199680449169[1].htm.1.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=enRegAsm.exe, 00000001.00000002.2880201060.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2880922498.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, 76561199680449169[1].htm.1.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoIEHJJE.1.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://65.108.152.56:9000/sqlx.dllRegAsm.exe, 00000001.00000002.2880201060.000000000052F000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                                      • 4%, Virustotal, Browse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      65.108.152.56
                                                                                                                                                      		unknownUnited States
                                                                                                                                                      		11022ALABANZA-BALTUSfalse
                                                                                                                                                      104.105.90.131
                                                                                                                                                      		steamcommunity.comUnited States
                                                                                                                                                      		16625AKAMAI-ASUSfalse

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                      Analysis ID:1437185
                                                                                                                                                      Start date and time:2024-05-07 05:28:06 +02:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 5m 19s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Number of analysed new started processes analysed:7
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample name:file.exe
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@3/12@1/2
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 97%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 199.232.210.172, 104.102.251.17, 104.102.251.89
                                                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      05:28:58API Interceptor1x Sleep call for process: RegAsm.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASNs

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\ProgramData\AEGIJKEHCAKF\BKKFHI

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):126976
                                                                                                                                                      Entropy (8bit):0.47147045728725767
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                      MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                      SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                      SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                      SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\AEGIJKEHCAKF\GDBAKK

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):114688
                                                                                                                                                      Entropy (8bit):0.9746603542602881
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\AEGIJKEHCAKF\GHJJDG

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):49152
                                                                                                                                                      Entropy (8bit):0.8180424350137764
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                      MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\AEGIJKEHCAKF\GHJKEH

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):28672
                                                                                                                                                      Entropy (8bit):2.5793180405395284
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\AEGIJKEHCAKF\HDBKJE

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):159744
                                                                                                                                                      Entropy (8bit):0.7873599747470391
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                      MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                      SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                      SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                      SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\AEGIJKEHCAKF\IEHJJE

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):106496
                                                                                                                                                      Entropy (8bit):1.1358696453229276
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\AEGIJKEHCAKF\KFIJEG

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):40960
                                                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):69993
                                                                                                                                                      Entropy (8bit):7.99584879649948
                                                                                                                                                      Encrypted:true
                                                                                                                                                      SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                                                                                                                                      MD5:29F65BA8E88C063813CC50A4EA544E93
                                                                                                                                                      SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                                                                                                                                      SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                                                                                                                                      SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):330
                                                                                                                                                      Entropy (8bit):3.217935332070547
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6:kKklEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:MlbkPlE99SNxAhUeVLVt
                                                                                                                                                      MD5:457C16EABAD85393C2438B34FEB507A6
                                                                                                                                                      SHA1:0CE6ADD73AD8EE9C5AE93913F90C10F60B2E2F84
                                                                                                                                                      SHA-256:DA40515D3E2FB4633893866C996982458B76FFDA1977689597DAED2146E26A71
                                                                                                                                                      SHA-512:D9FA070DE00C0BDDE916FD8A902302CFC9BC09FFCC0BFAAC8CD967EA39A790DB8D85905176ECBC09E2F1DF19749D8FD9D113AE2D7F46DC3350B96FB1B3291389
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:p...... ........ .9.....(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):42
                                                                                                                                                      Entropy (8bit):4.0050635535766075
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                      MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                      SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                      SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                      SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199680449169[1].htm

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):35663
                                                                                                                                                      Entropy (8bit):5.3820204547725865
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:c7pqLtWYmwt5D0gq9siNGAGPzzgiJmDzJtxvrfukPco1AUmPzzgiJmDzJtxvJ2Sq:c78LtWYmwt5D0gq9scGPzzgiJmDzJtx2
                                                                                                                                                      MD5:ED01FF8187C1C331702AB5F6E5E1631B
                                                                                                                                                      SHA1:B982DE4E0762387C0FFFCFAC84B86FAE16EA52C1
                                                                                                                                                      SHA-256:CB3DC06E3EBE65FC84FB78704A23A69B5961B6F62D72CAD01B2AECD4774763BE
                                                                                                                                                      SHA-512:3CCFEF284D9A104BCC00BDE50CAC1DE5578281BFF2F8DA1872AC722E128C5814CD4B77438BB80577E825BE077A8426FB2629995D905C5D03847E56D0ECC01C59
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: p__o https://65.108.152.56:9000|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/global

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2459136
                                                                                                                                                      Entropy (8bit):6.052474106868353
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                                                                                                      MD5:90E744829865D57082A7F452EDC90DE5
                                                                                                                                                      SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                                                                                                      SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                                                                                                      SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                                                                                                      Malicious:false
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Entropy (8bit):7.414407050048219
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                      File name:file.exe
                                                                                                                                                      File size:358'000 bytes
                                                                                                                                                      MD5:b9773393891d9cc471cd58cac09052dd
                                                                                                                                                      SHA1:784a14954c7abca7d7e2e92c60b93557238426f4
                                                                                                                                                      SHA256:0a8357cb9a1d348d1c4b4ec101f2328fd43f976803bcc360525ced55fbb9aeaf
                                                                                                                                                      SHA512:72a669e736ecfc5422a07542e15cad7d82b9ae41591f4c375e31fa4dc2d70f620b44ff19b5b6d0928aac3cf244a3143af433d47eeaa3c5c6b9968cf71d1e6848
                                                                                                                                                      SSDEEP:6144:Dqv0Ib3JJzx1MfjF+N33l3+YBVYjZ7eZH9PJWweK/ojy8Kkc2ivFt+0P:Gb3TEbF+13NPYd6B9lcdFBsPP
                                                                                                                                                      TLSH:B1749FD48267CF37D3ED0778F095120593FD820B8893FB4A6A2416A1590A3E2F7566FB
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.8f.................F...........d... ........@.. ....................................`................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x4564de
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:true
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                      Time Stamp:0x6638D46F [Mon May 6 13:00:31 2024 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                      Authenticode Signature

                                                                                                                                                      Signature Valid:false
                                                                                                                                                      Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                      Error Number:-2146869232
                                                                                                                                                      Not Before, Not After
                                                                                                                                                      • 08/10/2020 01:00:00 12/10/2023 13:00:00
                                                                                                                                                      Subject Chain
                                                                                                                                                      • CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
                                                                                                                                                      Version:3
                                                                                                                                                      Thumbprint MD5:332CDC164B1324C3FF3F64E228C5FFFC
                                                                                                                                                      Thumbprint SHA-1:CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
                                                                                                                                                      Thumbprint SHA-256:531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
                                                                                                                                                      Serial:0C9838F673F9B1CCE395CFAB2B6684E4

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x564900x4b.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x53c.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x550000x2670
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5a0000xc.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x564470x1c.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x20000x544e40x54600cd200369f3723ebffd9769e4598cb5e7False0.7394241898148148data7.421157543801175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rsrc0x580000x53c0x600b3903f7a2f10b94867e427ae266651a6False0.390625data3.9246143706878946IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x5a0000xc0x200fb9aeb40bfad98519cace1adb7b9f6daFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                      RT_VERSION0x580a00x2b0data0.4375
                                                                                                                                                      RT_MANIFEST0x583500x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                      Network Behavior

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      May 7, 2024 05:28:54.186081886 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.186120033 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.186193943 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.192341089 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.192354918 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.373563051 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.373641014 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.444263935 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.444284916 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.444617987 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.444678068 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.447978020 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.488120079 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.825839996 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.825865030 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.825894117 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.825948954 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.825969934 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.825989008 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.826020956 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.911032915 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.911071062 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.911122084 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.911129951 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.911159992 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.911175013 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.929805040 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.929846048 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.929867983 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.929883003 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.929925919 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.930380106 CEST49731443192.168.2.4104.105.90.131
                                                                                                                                                      May 7, 2024 05:28:54.930394888 CEST44349731104.105.90.131192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:54.940658092 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:55.124442101 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:55.124541044 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:55.124906063 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:55.308558941 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:55.335064888 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:55.335078001 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:55.335280895 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:55.904119015 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.088542938 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:56.088629007 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.088963985 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.314002037 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:56.604398012 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:56.604489088 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.607820034 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.791517973 CEST90004973465.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:56.791601896 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.791857958 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.975559950 CEST90004973465.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:56.975790024 CEST90004973465.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:56.975832939 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.976175070 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:56.977679014 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.161231041 CEST90004973465.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:57.567095041 CEST90004973465.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:57.567166090 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.568280935 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.568749905 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.752975941 CEST90004973265.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:57.753046989 CEST497329000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.755163908 CEST90004973565.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:57.755229950 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.755485058 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.940929890 CEST90004973565.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:57.941137075 CEST90004973565.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:57.941189051 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.943748951 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:57.945174932 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.130691051 CEST90004973565.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:58.491302967 CEST90004973565.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:58.491322041 CEST90004973565.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:58.491475105 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.492830992 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.493206978 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.681381941 CEST90004973465.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:58.681405067 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:58.681457043 CEST497349000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.681514978 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.681926966 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.865605116 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:58.865900040 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:58.865962982 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.866276026 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:58.867717028 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:59.053447008 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:59.444582939 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:59.444606066 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:59.444619894 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:59.444633961 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:59.444647074 CEST90004973665.108.152.56192.168.2.4
                                                                                                                                                      May 7, 2024 05:28:59.444659948 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:59.444688082 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:59.444708109 CEST497369000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:59.496557951 CEST497359000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:59.496889114 CEST497379000192.168.2.465.108.152.56
                                                                                                                                                      May 7, 2024 05:28:59.682235956 CEST90004973565.108.152.56192.168.2.4

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      May 7, 2024 05:28:54.095249891 CEST5537453192.168.2.41.1.1.1
                                                                                                                                                      May 7, 2024 05:28:54.181236029 CEST53553741.1.1.1192.168.2.4

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                      May 7, 2024 05:28:54.095249891 CEST192.168.2.41.1.1.10xa13aStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                      May 7, 2024 05:28:54.181236029 CEST1.1.1.1192.168.2.40xa13aNo error (0)steamcommunity.com104.105.90.131A (IP address)IN (0x0001)false
                                                                                                                                                      May 7, 2024 05:28:55.456705093 CEST1.1.1.1192.168.2.40x10a7No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                      May 7, 2024 05:28:55.456705093 CEST1.1.1.1192.168.2.40x10a7No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                      • steamcommunity.com

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:05:28:52
                                                                                                                                                      Start date:07/05/2024
                                                                                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                      Imagebase:0x9a0000
                                                                                                                                                      File size:358'000 bytes
                                                                                                                                                      MD5 hash:B9773393891D9CC471CD58CAC09052DD
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1632108400.0000000003D65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1628578580.00000000009A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:low
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:1
                                                                                                                                                      Start time:05:28:52
                                                                                                                                                      Start date:07/05/2024
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                      Imagebase:0x7e0000
                                                                                                                                                      File size:65'440 bytes
                                                                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000001.00000002.2880201060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:false

                                                                                                                                                      Disassembly

                                                                                                                                                      No disassembly