Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1443958
MD5:7e74918f0790056546b862fa3e114c2a
SHA1:0042d5e84604f4e144ea0795db36839c50d8ed1f
SHA256:fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7E74918F0790056546B862FA3E114C2A)
    • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 3264 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
    • 0x221f0:$s1: JohnDoe
    • 0x221e8:$s2: HAL9TH
    00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Process Memory Space: file.exe PID: 6708JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            2.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
            • 0x221f0:$s1: JohnDoe
            • 0x221e8:$s2: HAL9TH
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x20df0:$s1: JohnDoe
              • 0x20de8:$s2: HAL9TH
              0.2.file.exe.130000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://116.202.5.235:9000/softAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/softokn3.dllPAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/msvcp140.dllAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/softokn3.dlldgeAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/mozglue.dllEdgeAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/nss3.dll2Avira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/softokn3.dllfAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/freebl3.dllEdgeAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000Avira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/vcruntime140.dlletsAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/msvcp140.dlldgeAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/sqlx.dllAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/softokn3.dllAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/softokn3.dll2Avira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/nss3.dllftAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/vcruntime140.dllUserAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/vcruntime140.dll.Avira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/vAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/mozglue.dllAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/Avira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/fAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/bAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/vcruntime140.dllOAvira URL Cloud: Label: malware
                Source: https://t.me/k0monoAvira URL Cloud: Label: malware
                Source: https://steamcommunity.com/profiles/76561199686524322/inventory/Avira URL Cloud: Label: malware
                Source: https://steamcommunity.com/profiles/76561199686524322/badgesAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/vcruntime140.dllhAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/msvcp140.dllDAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/vcruntime140.dllcAvira URL Cloud: Label: malware
                Source: https://116.202.5.235:9000/freebl3.dllAvira URL Cloud: Label: malware
                Source: https://116.202.5.235/Avira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}
                Multi AV Scanner detection for domain / URL
                Source: https://116.202.5.235:9000/sqlx.dllVirustotal: Detection: 9%Perma Link
                Source: https://116.202.5.235:9000/vVirustotal: Detection: 9%Perma Link
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014D9D0 FreeConsole,GetCurrentThreadId,CryptDecrypt,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004082DE memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410DAC CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49743 version: TLS 1.2
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00145066 FindFirstFileExW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199686524322
                Source: global trafficTCP traffic: 192.168.2.4:49744 -> 116.202.5.235:9000
                Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /k0mono HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 104.102.42.29 104.102.42.29
                Source: Joe Sandbox ViewIP Address: 116.202.5.235 116.202.5.235
                Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: unknownTCP traffic detected without corresponding DNS query: 116.202.5.235
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /k0mono HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: t.me
                Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: RegAsm.exe, 00000002.00000002.2900507814.000000000121A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235/ahI
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/2b1cosoft
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/8
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/9
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/B
                Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/N
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/O
                Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/V
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/b
                Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/f
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/freebl3.dll
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/freebl3.dllEdge
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/mozglue.dll
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/mozglue.dll$
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/mozglue.dllEdge
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/msvcp140.dll
                Source: RegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/msvcp140.dllD
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/msvcp140.dllP
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/msvcp140.dlldge
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/nss3.dll
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/nss3.dll2
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/nss3.dllft
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/soft
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/softokn3.dll
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/softokn3.dll2
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/softokn3.dllP
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/softokn3.dlldge
                Source: RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/softokn3.dllf
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/sqlx.dll
                Source: RegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/v
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/vcruntime140.dll
                Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/vcruntime140.dll.
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllO
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllUser
                Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllc
                Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllets
                Source: RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000/vcruntime140.dllh
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:900062b1c
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000EB
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000ing
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://116.202.5.235:9000l
                Source: FHJEGI.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: FHJEGI.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: FHJEGI.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: FHJEGI.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.s
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                Source: FHJEGI.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: FHJEGI.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: FHJEGI.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
                Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/_
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: file.exe, 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/badges
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/inventory/
                Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322C
                Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322P
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
                Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
                Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/legal/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: DHCFID.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: DHCFID.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/k0mono
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/k0monoHi
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                Source: FHJEGI.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: FHJEGI.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49743 version: TLS 1.2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014D4D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001442CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0014771B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C07A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BB29
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CCA7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19244CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192E5940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19231C9E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19359A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19232018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923292D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19399CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192312A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19232AA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19249000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19355040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192C53B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19233580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1940D209
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19399430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192D9690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192ED6D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19231EF1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19334A60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19258D2A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192B8120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19358030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192B0090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19233AB2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19370480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19258763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19294760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192C8760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19258680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923251D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1925BAB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923290A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923174E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19263370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1934A900
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1932A940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_193169C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19233E3B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1936E800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923481D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923AA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192319DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19276E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19292EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1940AEBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192BA0B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1923209F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1925A560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1932A590
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192347AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192466C0
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00135D10 appears 51 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 19233AF3 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 19231F5A appears 31 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 194106B1 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1923415B appears 125 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 312 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 19231C2B appears 47 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1923395E appears 78 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004180A8 appears 104 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/9@2/3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004102C3 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htmJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                Source: KFBAEC.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                Source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905201001.0000000019448000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: sqlx[1].dll.2.drStatic PE information: section name: .00cfg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00135285 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004191D5 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19231BF9 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192310C8 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                Source: RegAsm.exe, 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00145066 FindFirstFileExW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FE81 GetSystemInfo,wsprintfA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                Source: RegAsm.exe, 00000002.00000002.2900507814.0000000001293000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: RegAsm.exe, 00000002.00000002.2900507814.000000000121A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900507814.0000000001293000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: RegAsm.exe, 00000002.00000002.2901123982.00000000037A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139833 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001408D5 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00140919 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013D920 mov ecx, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00148830 GetProcessHeap,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139833 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00135AE9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00135C45 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001357DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E438 SetUnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19232C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192342AF SetUnhandledExceptionFilter,

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                Searches for specific processes (likely to inject)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D95008
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001355CC cpuid
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001359DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Vidar stealer
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Vidar stealer
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.130000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3264, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192D5910 sqlite3_mprintf,sqlite3_bind_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1935D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192ADB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19245C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192B1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192ADFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192D51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192C9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192ED3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192D55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1935D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_193514D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1930D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19244820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19314D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19260FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192A8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19288550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_19258680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192806E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1925B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192F3770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_193137E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1928EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192AE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1929E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_1929E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192AA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_192466C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		511
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		511
                Process Injection                		LSASS Memory141
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager12
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS1
                Account Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                System Owner/User Discovery                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials3
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync54
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraHEUR/AGEN.1352999
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                steamcommunity.com0%VirustotalBrowse
                t.me0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl0%URL Reputationsafe
                http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe0%URL Reputationsafe
                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%URL Reputationsafe
                http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                https://store.steampowered.com/points/shop/0%URL Reputationsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english0%URL Reputationsafe
                https://116.202.5.235:9000EB0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                https://store.steampowered.com/about/0%URL Reputationsafe
                https://116.202.5.235:9000/soft100%Avira URL Cloudmalware
                https://help.steampowered.com/en/0%URL Reputationsafe
                https://store.steampowered.com/news/0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en0%URL Reputationsafe
                https://store.steampowered.com/stats/0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                https://116.202.5.235:9000/softokn3.dllP100%Avira URL Cloudmalware
                https://store.steampowered.com/legal/0%URL Reputationsafe
                http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl0%URL Reputationsafe
                https://store.steampowered.com/0%URL Reputationsafe
                https://116.202.5.235:9000/msvcp140.dll100%Avira URL Cloudmalware
                https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
                https://116.202.5.235:9000/softokn3.dlldge100%Avira URL Cloudmalware
                https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                https://steamcommunity.com/?subsection=broadcasts0%VirustotalBrowse
                https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.s0%VirustotalBrowse
                https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.s0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR0%Avira URL Cloudsafe
                https://116.202.5.235:9000/mozglue.dllEdge100%Avira URL Cloudmalware
                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english0%Avira URL Cloudsafe
                https://116.202.5.235:9000/nss3.dll2100%Avira URL Cloudmalware
                https://116.202.5.235:9000/softokn3.dllf100%Avira URL Cloudmalware
                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR0%VirustotalBrowse
                https://116.202.5.235:9000/freebl3.dllEdge100%Avira URL Cloudmalware
                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%VirustotalBrowse
                https://116.202.5.235:9000100%Avira URL Cloudmalware
                https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english0%VirustotalBrowse
                https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en0%VirustotalBrowse
                https://116.202.5.235:9000/vcruntime140.dllets100%Avira URL Cloudmalware
                https://116.202.5.235:9000/msvcp140.dlldge100%Avira URL Cloudmalware
                https://steamcommunity.com/login/home/?goto=profiles%2F765611996865243220%Avira URL Cloudsafe
                https://116.202.5.235:9000/sqlx.dll100%Avira URL Cloudmalware
                https://116.202.5.235:9000ing0%Avira URL Cloudsafe
                https://116.202.5.235:90003%VirustotalBrowse
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                https://steamcommunity.com/_0%Avira URL Cloudsafe
                https://116.202.5.235:9000/softokn3.dll100%Avira URL Cloudmalware
                https://116.202.5.235:9000/sqlx.dll10%VirustotalBrowse
                https://116.202.5.235:9000/softokn3.dll2100%Avira URL Cloudmalware
                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                https://steamcommunity.com/login/home/?goto=profiles%2F765611996865243220%VirustotalBrowse
                https://116.202.5.235:9000/nss3.dllft100%Avira URL Cloudmalware
                https://116.202.5.235:9000/vcruntime140.dllUser100%Avira URL Cloudmalware
                https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%VirustotalBrowse
                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%VirustotalBrowse
                https://t.me/0%Avira URL Cloudsafe
                https://web.telegram.org0%Avira URL Cloudsafe
                https://116.202.5.235:9000/vcruntime140.dll.100%Avira URL Cloudmalware
                https://t.me/0%VirustotalBrowse
                https://116.202.5.235:9000/v100%Avira URL Cloudmalware
                https://steamcommunity.com/_0%VirustotalBrowse
                https://steamcommunity.com/market/0%Avira URL Cloudsafe
                https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a0%Avira URL Cloudsafe
                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                https://116.202.5.235:9000/mozglue.dll100%Avira URL Cloudmalware
                https://web.telegram.org0%VirustotalBrowse
                https://steamcommunity.com/market/0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		104.102.42.29
                		truetrueunknown
                t.me
                		149.154.167.99
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://t.me/k0monofalse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://116.202.5.235:9000EBRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/chrome_newtabFHJEGI.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=FHJEGI.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/softRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/softokn3.dllPRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/msvcp140.dllRegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=englRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/softokn3.dlldgeRegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.sRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtRRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/mozglue.dllEdgeRegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeRegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=englishRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=englishRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=enRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/nss3.dll2RegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/softokn3.dllfRegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/freebl3.dllEdgeRegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000586000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpfalse
                • 3%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/vcruntime140.dlletsRegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/msvcp140.dlldgeRegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://steamcommunity.com/login/home/?goto=profiles%2F7656119968652432276561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/sqlx.dllRegAsm.exe, 00000002.00000002.2899893197.0000000000561000.00000040.00000400.00020000.00000000.sdmpfalse
                • 10%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000ingRegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/points/shop/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=FHJEGI.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://steamcommunity.com/_RegAsm.exe, 00000002.00000002.2900507814.0000000001272000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.drfalse
                • URL Reputation: safe
                		unknown
                https://www.ecosia.org/newtab/FHJEGI.2.drfalse
                • URL Reputation: safe
                		unknown
                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/softokn3.dllRegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/softokn3.dll2RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesDHCFID.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/nss3.dllftRegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://store.steampowered.com/about/76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/vcruntime140.dllUserRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/vcruntime140.dll.RegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://web.telegram.orgRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000523000.00000040.00000400.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/vRegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmpfalse
                • 10%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://help.steampowered.com/en/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/market/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/news/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&aRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=FHJEGI.2.drfalse
                • URL Reputation: safe
                		unknown
                http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmp, DHCFID.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/mozglue.dllRegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/fRegAsm.exe, 00000002.00000002.2900987028.00000000013F7000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://116.202.5.235:9000/bRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://steamcommunity.com/discussions/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/vcruntime140.dllORegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://store.steampowered.com/stats/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallDHCFID.2.drfalse
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchFHJEGI.2.drfalse
                • URL Reputation: safe
                		unknown
                https://steamcommunity.com/profiles/76561199686524322/inventory/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • Avira URL Cloud: malware
                		unknown
                https://steamcommunity.com/profiles/76561199686524322/badgesRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • Avira URL Cloud: malware
                		unknown
                https://steamcommunity.com/workshop/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=eRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sqlite.org/copyright.html.RegAsm.exe, 00000002.00000002.2901515013.00000000134DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2905345080.000000001947D000.00000002.00001000.00020000.00000000.sdmp, sqlx[1].dll.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUzRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/vcruntime140.dllhRegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvRegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoFHJEGI.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://116.202.5.235:9000/msvcp140.dllDRegAsm.exe, 00000002.00000002.2900806294.0000000001380000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/vcruntime140.dllcRegAsm.exe, 00000002.00000002.2900806294.000000000138F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235:9000/freebl3.dllRegAsm.exe, 00000002.00000002.2900946263.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.00000000005A5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://116.202.5.235/RegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://store.steampowered.com/76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown
                https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwRegAsm.exe, 00000002.00000002.2900666615.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.102.42.29
                		steamcommunity.comUnited States
                		16625AKAMAI-ASUStrue
                116.202.5.235
                		unknownGermany
                		24940HETZNER-ASDEfalse
                149.154.167.99
                		t.meUnited Kingdom
                		62041TELEGRAMRUfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1443958
                Start date and time:2024-05-19 09:08:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 4s
                Hypervisor based Inspection enabled:false
                Report type:light
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@4/9@2/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • TCP Packets have been reduced to 100
                • Excluded IPs from analysis (whitelisted): 20.42.73.29
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:09:04API Interceptor1x Sleep call for process: RegAsm.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\KJDGIJECFIEB\DHCFID

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                Category:dropped
                Size (bytes):159744
                Entropy (8bit):0.7873599747470391
                Encrypted:false
                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\KJDGIJECFIEB\EBAEBF

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                Category:dropped
                Size (bytes):126976
                Entropy (8bit):0.47147045728725767
                Encrypted:false
                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\KJDGIJECFIEB\FHJEGI

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                Category:dropped
                Size (bytes):106496
                Entropy (8bit):1.1358696453229276
                Encrypted:false
                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                MD5:28591AA4E12D1C4FC761BE7C0A468622
                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\KJDGIJECFIEB\GCGHJE

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                Category:dropped
                Size (bytes):49152
                Entropy (8bit):0.8180424350137764
                Encrypted:false
                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                MD5:349E6EB110E34A08924D92F6B334801D
                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\KJDGIJECFIEB\HDBGDH

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                Category:modified
                Size (bytes):114688
                Entropy (8bit):0.9746603542602881
                Encrypted:false
                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                MD5:780853CDDEAEE8DE70F28A4B255A600B
                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\KJDGIJECFIEB\KFBAEC

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                Category:dropped
                Size (bytes):40960
                Entropy (8bit):0.8553638852307782
                Encrypted:false
                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                MD5:28222628A3465C5F0D4B28F70F97F482
                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                Malicious:false
                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\KJDGIJECFIEB\KJDGIJ

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                Category:dropped
                Size (bytes):28672
                Entropy (8bit):2.5793180405395284
                Encrypted:false
                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                Malicious:false
                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htm

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
                Category:dropped
                Size (bytes):34714
                Entropy (8bit):5.386623198503238
                Encrypted:false
                SSDEEP:768:Ddpqm+0Ih3YAA9CWGA0fcDAZPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2T:Dd8m+0Ih3YAA9CWGA0FZPzzgiJmDzJtM
                MD5:1EF9C3C348E57460F3B94FC645431042
                SHA1:D91B82D9167E99DDB141F71EB8EB6EF609860D0C
                SHA-256:5F76FC8FE5351E2BF0C07C3A09D0B83F82F0B7F953537E4AB0EC025BB79798D3
                SHA-512:639CC2EF6CD5B8ED8EC35D4D40EE361AEABC4D8E09F09D6F175DA5DC6AD257221C298871248228734AFF064F9CF5E3F7E2064B6813D36A65FDCC91980242D7B5
                Malicious:false
                Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: 76561199686524322</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https:/

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):2459136
                Entropy (8bit):6.052474106868353
                Encrypted:false
                SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                MD5:90E744829865D57082A7F452EDC90DE5
                SHA1:833B178775F39675FA4E55EAB1032353514E1052
                SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                Malicious:false
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (console) Intel 80386, for MS Windows
                Entropy (8bit):7.557280266846168
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:372'736 bytes
                MD5:7e74918f0790056546b862fa3e114c2a
                SHA1:0042d5e84604f4e144ea0795db36839c50d8ed1f
                SHA256:fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc
                SHA512:684cfcf2f81398156460d8bb956897b6f0b4e1e230c187028c488d782305ec978eee657d3f536c7f8c431ada37f77f6398b03abe339af9ddae1dd66a5e9d2550
                SSDEEP:6144:SjyaaHbrb0YCCx3TkA1tiyGZnoi78XUeaiRkm09DLnWyYtR8/8yDe9a6n:eyaa7L1tiF2U6aas9votR8/BEFn
                TLSH:2684D051B1C0C071E56325364AF0DBB15E3EF9704FA15ECF67A40BBE4F30691DA21AAA
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r...............a.......a..k....a.......................a......................2.......2.......Rich....................PE..L..

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x40527b
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows cui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x66490AA4 [Sat May 18 20:08:04 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:65f8d3b7633d5a017c9f24a26c67363d

                Entrypoint Preview

                Instruction
                call 00007F6260DFF85Eh
                jmp 00007F6260DFEF29h
                mov ecx, dword ptr [ebp-0Ch]
                mov dword ptr fs:[00000000h], ecx
                pop ecx
                pop edi
                pop edi
                pop esi
                pop ebx
                mov esp, ebp
                pop ebp
                push ecx
                ret
                mov ecx, dword ptr [ebp-10h]
                xor ecx, ebp
                call 00007F6260DFEE15h
                jmp 00007F6260DFF092h
                push eax
                push dword ptr fs:[00000000h]
                lea eax, dword ptr [esp+0Ch]
                sub esp, dword ptr [esp+0Ch]
                push ebx
                push esi
                push edi
                mov dword ptr [eax], ebp
                mov ebp, eax
                mov eax, dword ptr [0045A540h]
                xor eax, ebp
                push eax
                push dword ptr [ebp-04h]
                mov dword ptr [ebp-04h], FFFFFFFFh
                lea eax, dword ptr [ebp-0Ch]
                mov dword ptr fs:[00000000h], eax
                ret
                push eax
                push dword ptr fs:[00000000h]
                lea eax, dword ptr [esp+0Ch]
                sub esp, dword ptr [esp+0Ch]
                push ebx
                push esi
                push edi
                mov dword ptr [eax], ebp
                mov ebp, eax
                mov eax, dword ptr [0045A540h]
                xor eax, ebp
                push eax
                mov dword ptr [ebp-10h], eax
                push dword ptr [ebp-04h]
                mov dword ptr [ebp-04h], FFFFFFFFh
                lea eax, dword ptr [ebp-0Ch]
                mov dword ptr fs:[00000000h], eax
                ret
                push eax
                push dword ptr fs:[00000000h]
                lea eax, dword ptr [esp+0Ch]
                sub esp, dword ptr [esp+0Ch]
                push ebx
                push esi
                push edi
                mov dword ptr [eax], ebp
                mov ebp, eax
                mov eax, dword ptr [0045A540h]
                xor eax, ebp
                push eax
                mov dword ptr [ebp-10h], esp
                push dword ptr [ebp-04h]
                mov dword ptr [ebp-04h], FFFFFFFFh
                lea eax, dword ptr [ebp-0Ch]
                mov dword ptr fs:[00000000h], eax

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x26b6c0x3c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1a54.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x250e80x1c.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x250280x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x164.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x1bb3f0x1bc00896aa19da20dfcddfae4daf6f2295875False0.5772628096846847data6.600341435678309IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .bsS0x1d0000xa840xc003a54c614cecfd0e64b884f3c41c32ad4False0.5911458333333334data5.946566168578569IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x1e0000x93900x940005f792426862b0e0eea2c0e5e390047dFalse0.39263091216216217data4.707613266129105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x280000x3437c0x33400c91ec62c4af8d334d85a9e884d07d303False0.9840844131097561data7.984093459079469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .reloc0x5d0000x1a540x1c00988e3cd821783dfbb1c13de905f594d2False0.7306082589285714data6.373828393083266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Imports

                DLLImport
                ADVAPI32.dllCryptDecrypt
                KERNEL32.dllWaitForSingleObject, CreateRemoteThread, VirtualAlloc, FreeConsole, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                May 19, 2024 09:08:56.125937939 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:56.126024008 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:56.126138926 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:56.133630037 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:56.133694887 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:56.851352930 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:56.851444960 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:56.899281025 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:56.899349928 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:56.900289059 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:56.900363922 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:56.904191971 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:56.948194027 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.502080917 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.502147913 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.502187967 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.502226114 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.502253056 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.502271891 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.502312899 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.502396107 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.608273983 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.608345985 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.608419895 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.608459949 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.608494043 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.608516932 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.615500927 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.615602016 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.615669012 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.615717888 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.615736961 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.615792036 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.615892887 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.615945101 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.655944109 CEST49742443192.168.2.4104.102.42.29
                May 19, 2024 09:08:57.656008959 CEST44349742104.102.42.29192.168.2.4
                May 19, 2024 09:08:57.727955103 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:57.727981091 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:57.728126049 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:57.730151892 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:57.730170965 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.466494083 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.466582060 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.498569965 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.498588085 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.499627113 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.499799013 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.519278049 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.564121962 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761395931 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761454105 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.761456966 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761491060 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761517048 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.761533022 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761548996 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.761559963 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761580944 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.761607885 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.761615992 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761647940 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.761672974 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.761718988 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.769680977 CEST49743443192.168.2.4149.154.167.99
                May 19, 2024 09:08:58.769695997 CEST44349743149.154.167.99192.168.2.4
                May 19, 2024 09:08:58.784607887 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:58.817583084 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:08:58.817748070 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:58.824115992 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:58.869514942 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:08:59.523859978 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:08:59.523947954 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:59.528754950 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:08:59.528809071 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:59.551728010 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:59.578005075 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:08:59.776231050 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:08:59.776339054 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:59.776804924 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:08:59.829636097 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:09:00.292948961 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:09:00.293068886 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:09:00.296513081 CEST497459000192.168.2.4116.202.5.235
                May 19, 2024 09:09:00.345664978 CEST900049745116.202.5.235192.168.2.4
                May 19, 2024 09:09:00.345810890 CEST497459000192.168.2.4116.202.5.235
                May 19, 2024 09:09:00.346107006 CEST497459000192.168.2.4116.202.5.235
                May 19, 2024 09:09:00.397767067 CEST900049745116.202.5.235192.168.2.4
                May 19, 2024 09:09:01.030155897 CEST900049745116.202.5.235192.168.2.4
                May 19, 2024 09:09:01.030241013 CEST497459000192.168.2.4116.202.5.235
                May 19, 2024 09:09:01.151000977 CEST497459000192.168.2.4116.202.5.235
                May 19, 2024 09:09:01.156008005 CEST900049745116.202.5.235192.168.2.4
                May 19, 2024 09:09:01.156707048 CEST497459000192.168.2.4116.202.5.235
                May 19, 2024 09:09:01.161905050 CEST900049745116.202.5.235192.168.2.4
                May 19, 2024 09:09:01.831651926 CEST900049745116.202.5.235192.168.2.4
                May 19, 2024 09:09:01.831751108 CEST497459000192.168.2.4116.202.5.235
                May 19, 2024 09:09:01.850370884 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:09:01.855834961 CEST900049744116.202.5.235192.168.2.4
                May 19, 2024 09:09:01.855914116 CEST497449000192.168.2.4116.202.5.235
                May 19, 2024 09:09:01.870893002 CEST497469000192.168.2.4116.202.5.235

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                May 19, 2024 09:08:56.110912085 CEST6267553192.168.2.41.1.1.1
                May 19, 2024 09:08:56.119693995 CEST53626751.1.1.1192.168.2.4
                May 19, 2024 09:08:57.719383955 CEST5830853192.168.2.41.1.1.1
                May 19, 2024 09:08:57.727220058 CEST53583081.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                May 19, 2024 09:08:56.110912085 CEST192.168.2.41.1.1.10xbb2dStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                May 19, 2024 09:08:57.719383955 CEST192.168.2.41.1.1.10x80a9Standard query (0)t.meA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                May 19, 2024 09:08:56.119693995 CEST1.1.1.1192.168.2.40xbb2dNo error (0)steamcommunity.com104.102.42.29A (IP address)IN (0x0001)false
                May 19, 2024 09:08:57.727220058 CEST1.1.1.1192.168.2.40x80a9No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • steamcommunity.com
                • t.me

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:03:08:54
                Start date:19/05/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x130000
                File size:372'736 bytes
                MD5 hash:7E74918F0790056546B862FA3E114C2A
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1645416850.0000000000158000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:03:08:54
                Start date:19/05/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:03:08:55
                Start date:19/05/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Imagebase:0xad0000
                File size:65'440 bytes
                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.2899893197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2899893197.0000000000446000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:false

                Disassembly

                No disassembly