Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1459509
MD5:2a042e0136d2125e744724a757f33950
SHA1:d3f5304872ff4b795cde48914fa4d81768abba5d
SHA256:65746b8a8fddc5dfb1602a3a5605cd039476bab5e66076bc729b987793986e0e
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Country aware sample found (crashes after keyboard check)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5572 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2A042E0136D2125E744724A757F33950)
    • RegAsm.exe (PID: 8 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 2060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 3872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 6880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199699680841", "https://t.me/memve4erin"], "Botnet": "673ad4d1558c47b58d4f59c1d86488e2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
    • 0x23208:$s1: JohnDoe
    • 0x23200:$s2: HAL9TH
    00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Process Memory Space: file.exe PID: 5572JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.RegAsm.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            3.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
            • 0x22408:$s1: JohnDoe
            • 0x22400:$s2: HAL9TH
            3.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              3.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x23208:$s1: JohnDoe
              • 0x23200:$s2: HAL9TH
              0.2.file.exe.fd0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://162.55.53.18:9000/AAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/softokn3.dllEdgeAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/BAvira URL Cloud: Label: malware
                Source: https://t.me/memve4erinAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/softokn3.dll10.15;Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/freebl3.dlluAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/sqlt.dllAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/46ff6leAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/msvcp140.dllAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/tmAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/softokn3.dllAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/msvcp140.dllEdgeAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/vcruntime140.dllUserAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/pAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/MHAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/lAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/freebl3.dllsposition:Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/bWAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/vcruntime140.dlleAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/sqlt.dllBAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/ZGAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/nss3.dlloftAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/vcruntime140.dllAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/ZmAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/$Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/freebl3.dllAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/vcruntime140.dllAAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/cG4Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/vcruntime140.dllppetAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/nss3.dllJAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/softokn3.dll2Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/nss3.dllAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/4Avira URL Cloud: Label: malware
                Source: https://162.55.53.18/Avira URL Cloud: Label: malware
                Source: https://steamcommunity.com/profiles/76561199699680841Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/freebl3.dll~Avira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/mozglue.dllAvira URL Cloud: Label: malware
                Source: https://162.55.53.18:9000/.53.18:9000/Avira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199699680841", "https://t.me/memve4erin"], "Botnet": "673ad4d1558c47b58d4f59c1d86488e2"}
                Multi AV Scanner detection for domain / URL
                Source: https://162.55.53.18:9000/sqlt.dllVirustotal: Detection: 15%Perma Link
                Source: https://162.55.53.18:9000/msvcp140.dllVirustotal: Detection: 10%Perma Link
                Source: https://162.55.53.18:9000/msvcp140.dllEdgeVirustotal: Detection: 10%Perma Link
                Source: https://162.55.53.18:9000/lVirustotal: Detection: 10%Perma Link
                Source: https://162.55.53.18:9000/Virustotal: Detection: 15%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 37%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00406DE2 CryptUnprotectData,LocalAlloc,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00411A55 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00406D7F CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00408E1E memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF3EC7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040D1BA _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A025 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417148 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A440 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B4C3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417591 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004166D7 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040AAB4 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00416DA3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040BFA5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00416B24 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199699680841
                Source: Malware configuration extractorURLs: https://t.me/memve4erin
                Source: global trafficTCP traffic: 192.168.2.4:49733 -> 162.55.53.18:9000
                Source: global trafficHTTP traffic detected: GET /memve4erin HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 162.55.53.18 162.55.53.18
                Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: unknownTCP traffic detected without corresponding DNS query: 162.55.53.18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004041B2 _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                Source: global trafficHTTP traffic detected: GET /memve4erin HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: t.me
                Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabtO
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enN
                Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                Source: RegAsm.exe, 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                Source: RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18/
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/
                Source: RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/$
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/.53.18:9000/
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/4
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/46ff6le
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/A
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/B
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/MH
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/ZG
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/Zm
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/bW
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/cG4
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/freebl3.dll
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/freebl3.dllsposition:
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/freebl3.dllu
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/freebl3.dll~
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/l
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/mozglue.dll
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/msvcp140.dll
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/msvcp140.dllEdge
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/nss3.dll
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/nss3.dllJ
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/nss3.dlloft
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/p
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/softokn3.dll
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/softokn3.dll10.15;
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/softokn3.dll2
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/softokn3.dllEdge
                Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/sqlt.dll
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/sqlt.dllB
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/tm
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/vcruntime140.dll
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/vcruntime140.dllA
                Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/vcruntime140.dllUser
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/vcruntime140.dlle
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000/vcruntime140.dllppet
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:90001234567890hrome
                Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000646ff6le
                Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000FID
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000al
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000ming
                Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000nbfoldnt-Disposition:
                Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000tacrosoft
                Source: RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://162.55.53.18:9000tel
                Source: BAEHIE.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: BAEHIE.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: BAEHIE.3.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: BAEHIE.3.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: BAEHIE.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: BAEHIE.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: BAEHIE.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: file.exe, 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199699680841
                Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: GDBFHD.3.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: GDBFHD.3.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/m
                Source: file.exe, 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/memve4erin
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/memve4erin&
                Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                Source: BAEHIE.3.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: BAEHIE.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00411FA6 _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD9390
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD60F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE7842
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD5810
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDD1F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF8124
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF13BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE7B8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE24D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FED4B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE4480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041E008
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041D3DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041F4F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041CE89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3E4CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4F9A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D2018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B485940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D1C9E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D2AA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D12A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D292D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B539CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D3580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4653B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B5AD209
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4F5040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3E9000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B48D6D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B479690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B539430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4D4A60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D1EF1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3F8D2A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D3AB2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B458120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4F8030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B450090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B434760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B468760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3F8763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3F8680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B510480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3FBAB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D251D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B407810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D290A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B403370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D174E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3DF160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3DAA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4CA940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4EA900
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4B69C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D3E3B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B50E800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D481D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B432EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B416E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B5AAEBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D19DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D209F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B45A0B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3E66C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3FA560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4CA590
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D47AF
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FDCCA0 appears 57 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 312 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00419412 appears 112 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B3D395E appears 79 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B3D3AF3 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B3D415B appears 135 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B3D1C2B appears 47 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B3D1F5A appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 1B5B06B1 appears 36 times
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/15@1/2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00410F6C _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041136D _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PFTM0GXP.htmJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5572
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\8856bebd-0d96-4a38-a47c-ea35fa3b8443Jump to behavior
                Source: C:\Users\user\Desktop\file.exeCommand line argument: ADSdsfrhgt
                Source: C:\Users\user\Desktop\file.exeCommand line argument: Alister
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                Source: CBKFBA.3.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                Source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                Source: file.exeVirustotal: Detection: 37%
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptnet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cabinet.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2949428646.000000001B5E8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004189AF GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: sqlt[1].dll.3.drStatic PE information: section name: .00cfg
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDC422 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A535 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D1BF9 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D10C8 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dllJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004189AF GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR
                Country aware sample found (crashes after keyboard check)
                Source: c:\users\user\desktop\file.exeEvent Logs and Signature results: Application crash and keyboard check
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                Source: RegAsm.exe, 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dllJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041098E GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410AA1h
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF3EC7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040D1BA _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A025 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417148 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A440 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B4C3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417591 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004166D7 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040AAB4 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00416DA3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040BFA5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00416B24 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00410B2A GetSystemInfo,wsprintfA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                Source: Amcache.hve.6.drBinary or memory string: VMware
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: RegAsm.exe, 00000003.00000002.2943348984.0000000003595000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE0863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004189AF GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF2127 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEAB42 mov ecx, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF7113 GetProcessHeap,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE0863 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDCA4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDCBDA SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDC746 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A6DF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041F798 SetUnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D42AF SetUnhandledExceptionFilter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3D2C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0151018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                Searches for specific processes (likely to inject)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00411E67 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42F000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B18008
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDC51C cpuid
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDC943 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00410874 GetProcessHeap,HeapAlloc,GetUserNameA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041093B GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: RegAsm.exe, 00000003.00000002.2942919191.00000000010A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Vidar stealer
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Vidar stealer
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.fd0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5572, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3872, type: MEMORYSTR
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B44DB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B475910 sqlite3_mprintf,sqlite3_bind_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4FD9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B44DFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B451FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3E5C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B48D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4751D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B469090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4AD610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4755B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4F14D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4FD4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3E4820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B400FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4B4D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,InitOnceBeginInitialize,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B448200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4206E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3F8680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B428550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B407810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B493770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B4B37E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3FB400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B42EF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B43E200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B44E170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B43E090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B44A6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1B3E66C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		Boot or Logon Initialization Scripts511
                Process Injection                		2
                Obfuscated Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Command and Scripting Interpreter                		Logon Script (Windows)Logon Script (Windows)1
                DLL Side-Loading                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Masquerading                		NTDS54
                System Information Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Virtualization/Sandbox Evasion                		LSA Secrets151
                Security Software Discovery                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
                Process Injection                		Cached Domain Credentials1
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                System Owner/User Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe38%VirustotalBrowse
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                t.me0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                http://upx.sf.net0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                https://162.55.53.18:9000/A100%Avira URL Cloudmalware
                https://t.me/0%Avira URL Cloudsafe
                https://162.55.53.18:9000/softokn3.dllEdge100%Avira URL Cloudmalware
                https://162.55.53.18:9000FID0%Avira URL Cloudsafe
                https://t.me/0%VirustotalBrowse
                https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                https://162.55.53.18:9000/B100%Avira URL Cloudmalware
                https://t.me/memve4erin100%Avira URL Cloudmalware
                https://t.me/memve4erin2%VirustotalBrowse
                https://162.55.53.18:9000/softokn3.dll10.15;100%Avira URL Cloudmalware
                https://web.telegram.org0%Avira URL Cloudsafe
                https://162.55.53.18:9000/B4%VirustotalBrowse
                https://162.55.53.18:9000/freebl3.dllu100%Avira URL Cloudmalware
                https://162.55.53.18:9000/sqlt.dll100%Avira URL Cloudmalware
                https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                https://web.telegram.org0%VirustotalBrowse
                https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
                https://162.55.53.18:9000646ff6le0%Avira URL Cloudsafe
                https://162.55.53.18:9000/46ff6le100%Avira URL Cloudmalware
                https://162.55.53.18:9000/msvcp140.dll100%Avira URL Cloudmalware
                https://162.55.53.18:9000/tm100%Avira URL Cloudmalware
                https://162.55.53.18:9000/sqlt.dll16%VirustotalBrowse
                https://162.55.53.18:9000/softokn3.dll100%Avira URL Cloudmalware
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe0%Avira URL Cloudsafe
                https://162.55.53.18:9000/msvcp140.dllEdge100%Avira URL Cloudmalware
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
                https://t.me/memve4erin&0%Avira URL Cloudsafe
                https://t.me/m0%Avira URL Cloudsafe
                https://162.55.53.18:9000/msvcp140.dll11%VirustotalBrowse
                https://162.55.53.18:9000/vcruntime140.dllUser100%Avira URL Cloudmalware
                https://162.55.53.18:9000/p100%Avira URL Cloudmalware
                https://162.55.53.18:9000/MH100%Avira URL Cloudmalware
                https://162.55.53.18:9000/msvcp140.dllEdge11%VirustotalBrowse
                https://162.55.53.18:9000/l100%Avira URL Cloudmalware
                http://www.sqlite.org/copyright.html.0%Avira URL Cloudsafe
                https://162.55.53.18:9000/freebl3.dllsposition:100%Avira URL Cloudmalware
                https://t.me/m0%VirustotalBrowse
                https://162.55.53.18:9000/l11%VirustotalBrowse
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                https://162.55.53.18:9000/bW100%Avira URL Cloudmalware
                https://162.55.53.18:9000/vcruntime140.dlle100%Avira URL Cloudmalware
                https://162.55.53.18:9000/100%Avira URL Cloudmalware
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                https://162.55.53.18:9000/sqlt.dllB100%Avira URL Cloudmalware
                https://162.55.53.18:9000al0%Avira URL Cloudsafe
                http://www.sqlite.org/copyright.html.0%VirustotalBrowse
                https://162.55.53.18:9000/ZG100%Avira URL Cloudmalware
                https://162.55.53.18:9000tel0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                https://162.55.53.18:9000/16%VirustotalBrowse
                https://162.55.53.18:9000/nss3.dlloft100%Avira URL Cloudmalware
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
                https://162.55.53.18:9000ming0%Avira URL Cloudsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe0%Avira URL Cloudsafe
                https://162.55.53.18:9000/vcruntime140.dll100%Avira URL Cloudmalware
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%VirustotalBrowse
                https://162.55.53.18:9000/Zm100%Avira URL Cloudmalware
                https://162.55.53.18:9000nbfoldnt-Disposition:0%Avira URL Cloudsafe
                https://162.55.53.18:9000/$100%Avira URL Cloudmalware
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                https://162.55.53.18:9000/freebl3.dll100%Avira URL Cloudmalware
                https://162.55.53.18:9000/vcruntime140.dllA100%Avira URL Cloudmalware
                https://162.55.53.18:9000/cG4100%Avira URL Cloudmalware
                https://162.55.53.18:9000/vcruntime140.dllppet100%Avira URL Cloudmalware
                https://162.55.53.18:9000/nss3.dllJ100%Avira URL Cloudmalware
                https://162.55.53.18:9000100%Avira URL Cloudmalware
                https://162.55.53.18:9000/softokn3.dll2100%Avira URL Cloudmalware
                https://162.55.53.18:90001234567890hrome0%Avira URL Cloudsafe
                https://162.55.53.18:9000/nss3.dll100%Avira URL Cloudmalware
                https://162.55.53.18:9000/4100%Avira URL Cloudmalware
                https://162.55.53.18/100%Avira URL Cloudmalware
                https://steamcommunity.com/profiles/76561199699680841100%Avira URL Cloudmalware
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
                https://162.55.53.18:9000/freebl3.dll~100%Avira URL Cloudmalware
                https://162.55.53.18:9000/mozglue.dll100%Avira URL Cloudmalware
                https://162.55.53.18:9000/.53.18:9000/100%Avira URL Cloudmalware
                https://162.55.53.18:9000tacrosoft0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                t.me
                		149.154.167.99
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://t.me/memve4erintrue
                • 2%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://steamcommunity.com/profiles/76561199699680841true
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabBAEHIE.3.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/RegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmptrue
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000FIDRegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/softokn3.dllEdgeRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/ARegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://duckduckgo.com/ac/?q=BAEHIE.3.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/BRegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmpfalse
                • 4%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://web.telegram.orgRegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/softokn3.dll10.15;RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/freebl3.dlluRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/sqlt.dllRegAsm.exe, 00000003.00000002.2942073770.0000000000491000.00000040.00000400.00020000.00000000.sdmpfalse
                • 16%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=BAEHIE.3.drfalse
                • URL Reputation: safe
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000646ff6leRegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.00000000004B6000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/46ff6leRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/msvcp140.dllRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • 11%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/tmRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/softokn3.dllRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeRegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/msvcp140.dllEdgeRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • 11%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallGDBFHD.3.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchBAEHIE.3.drfalse
                • URL Reputation: safe
                		unknown
                https://t.me/memve4erin&RegAsm.exe, 00000003.00000002.2942656368.0000000000FD1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/mRegAsm.exe, 00000003.00000002.2942656368.0000000000F7A000.00000004.00000020.00020000.00000000.sdmptrue
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/vcruntime140.dllUserRegAsm.exe, 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/pRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/MHRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/lRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • 11%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.sqlite.org/copyright.html.RegAsm.exe, 00000003.00000002.2949605614.000000001B61D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2943981511.0000000015676000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.3.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/freebl3.dllsposition:RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoBAEHIE.3.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/bWRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/vcruntime140.dlleRegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • 16%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/sqlt.dllBRegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000alRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.0000000000497000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/ZGRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000telRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=BAEHIE.3.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://upx.sf.netAmcache.hve.6.drfalse
                • URL Reputation: safe
                		unknown
                https://162.55.53.18:9000/nss3.dlloftRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmp, GDBFHD.3.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000mingRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exeRegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/BAEHIE.3.drfalse
                • URL Reputation: safe
                		unknown
                https://162.55.53.18:9000/vcruntime140.dllRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://ac.ecosia.org/autocomplete?q=BAEHIE.3.drfalse
                • URL Reputation: safe
                		unknown
                https://162.55.53.18:9000/ZmRegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000nbfoldnt-Disposition:RegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/$RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/vcruntime140.dllARegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/freebl3.dllRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/cG4RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/vcruntime140.dllppetRegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/nss3.dllJRegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000RegAsm.exe, 00000003.00000002.2942656368.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/softokn3.dll2RegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:90001234567890hromeRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/nss3.dllRegAsm.exe, 00000003.00000002.2942919191.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/4RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18/RegAsm.exe, 00000003.00000002.2942794241.0000000001009000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesGDBFHD.3.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://162.55.53.18:9000/freebl3.dll~RegAsm.exe, 00000003.00000002.2942919191.00000000010CF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000/mozglue.dllRegAsm.exe, 00000003.00000002.2942073770.000000000056E000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=BAEHIE.3.drfalse
                • URL Reputation: safe
                		unknown
                https://162.55.53.18:9000/.53.18:9000/RegAsm.exe, 00000003.00000002.2942919191.00000000010BD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://162.55.53.18:9000tacrosoftRegAsm.exe, 00000003.00000002.2942073770.00000000004D5000.00000040.00000400.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                162.55.53.18
                		unknownUnited States
                		35893ACPCAfalse
                149.154.167.99
                		t.meUnited Kingdom
                		62041TELEGRAMRUtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1459509
                Start date and time:2024-06-19 14:39:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 57s
                Hypervisor based Inspection enabled:false
                Report type:light
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@8/15@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • TCP Packets have been reduced to 100
                • Excluded IPs from analysis (whitelisted): 95.101.54.203, 2.16.202.128, 95.101.54.194, 95.101.54.130, 2.16.202.121, 95.101.54.209, 95.101.54.144, 95.101.54.139, 95.101.54.202, 20.42.73.29
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                08:40:07API Interceptor1x Sleep call for process: RegAsm.exe modified
                08:40:13API Interceptor1x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\ECGDBFCBKFID\AEBGHD

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                Category:dropped
                Size (bytes):28672
                Entropy (8bit):2.5793180405395284
                Encrypted:false
                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\ECGDBFCBKFID\BAEHIE

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                Category:dropped
                Size (bytes):106496
                Entropy (8bit):1.1358696453229276
                Encrypted:false
                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                MD5:28591AA4E12D1C4FC761BE7C0A468622
                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\ECGDBFCBKFID\CBKFBA

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                Category:dropped
                Size (bytes):40960
                Entropy (8bit):0.8553638852307782
                Encrypted:false
                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                MD5:28222628A3465C5F0D4B28F70F97F482
                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\ECGDBFCBKFID\DBGHJE

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                Category:dropped
                Size (bytes):126976
                Entropy (8bit):0.47147045728725767
                Encrypted:false
                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                Malicious:false
                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\ECGDBFCBKFID\DGHIDH

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                Category:modified
                Size (bytes):114688
                Entropy (8bit):0.9746603542602881
                Encrypted:false
                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                MD5:780853CDDEAEE8DE70F28A4B255A600B
                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                Malicious:false
                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\ECGDBFCBKFID\GDBFHD

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                Category:dropped
                Size (bytes):159744
                Entropy (8bit):0.7873599747470391
                Encrypted:false
                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                Malicious:false
                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\ECGDBFCBKFID\KKEHDB

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                Category:dropped
                Size (bytes):49152
                Entropy (8bit):0.8180424350137764
                Encrypted:false
                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                MD5:349E6EB110E34A08924D92F6B334801D
                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                Malicious:false
                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_9fe2b44b45cabaf5e9b80eb2becdba8923fcbda_d2f759d2_2d8cec74-354d-460a-95ad-bf7884ef09de\Report.wer

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):0.7085213233949067
                Encrypted:false
                SSDEEP:192:M7JhBl4vVPl+0p4iZI3jXqzuiFuZ24IO8TVB:y3oVNlp4iKj6zuiFuY4IO8X
                MD5:A33DBE13115559E3B20FE7A91AB745E5
                SHA1:E3561DBB2B9DC413FD262CE495EAFD8FCB066606
                SHA-256:58CF440D304337042E25AEEA912BDBB986A90BDD6EBB9DE27F4C1DE487EF7B36
                SHA-512:3431CCD9A3347E16458FE3333F769664662C800D9E090BEA3278A11CC8DA4D3D2618E2BF9A56E5935FDA4CAA39513E814485593092598592EDDF4A664D7FBAA6
                Malicious:true
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.2.7.4.3.9.9.4.8.9.4.1.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.2.7.4.3.9.9.7.8.6.2.7.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.8.c.e.c.7.4.-.3.5.4.d.-.4.6.0.a.-.9.5.a.d.-.b.f.7.8.8.4.e.f.0.9.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.3.2.b.9.b.c.-.a.5.b.1.-.4.9.4.e.-.9.2.8.5.-.6.f.5.2.2.8.a.3.d.a.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.4.-.0.0.0.1.-.0.0.1.4.-.e.c.7.2.-.d.1.c.b.4.5.c.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.3.f.5.3.0.4.8.7.2.f.f.4.b.7.9.5.c.d.e.4.8.9.1.4.f.a.4.d.8.1.7.6.8.a.b.b.a.5.d.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.6.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCA4.tmp.dmp

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 14 streams, Wed Jun 19 12:39:59 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):43270
                Entropy (8bit):1.8018423576157767
                Encrypted:false
                SSDEEP:192:KDVZHTdMLtO/n4s+kTyBTq7vnI1s/hbM9RcMJP:IVB5M8wtkEOznI1ehbM1
                MD5:AD261D87896F54820D9B230CEDCFA287
                SHA1:77F3D1A51A187415703A74B03C22FF9918E07679
                SHA-256:B9336CF50D5C97087EBBE3D7574DDF397BE47A2E3B1BD53374B8B942765BBAC8
                SHA-512:9EAFE33D3AA361BEEBF554323CE25FBE6DC6C1BC763B88C3771333D7C58DB356F3DEFA6A1DC29BB06BAC505FC18017DA2AAB9DC5306AF5C08F00FB00177078F1
                Malicious:false
                Preview:MDMP..a..... .........rf........................0...........$...Z!..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T.............rf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD31.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8326
                Entropy (8bit):3.695451458569435
                Encrypted:false
                SSDEEP:192:R6l7wVeJnCJ6O76Y9eSU9ngmfBOJJQpr189bVHHsfrHHm:R6lXJk6q6YkSU9ngmf0JJXVHMfTG
                MD5:A73CA148A343A6488103EB6DA5B0B24F
                SHA1:F5BF5D4ABC240C01AF4E83FF7C9C7018C321824B
                SHA-256:808EE5142C537E69CA2B0DF54D1252ADC7903D629BCF5702827C0BA617FE97AB
                SHA-512:147F8D4901E3958A52C597FD383AB3BFBE4078865FA5A42931F19456C9D4CBFF5FAD8BAF9E9CC242D057BFE3542FE900172D29F636C3345C021577AA517D5923
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.2.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD52.tmp.xml

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4605
                Entropy (8bit):4.481762253623764
                Encrypted:false
                SSDEEP:48:cvIwWl8zs2Jg77aI9HhzSWpW8VYsYm8M4JTgFQV+q8wgnzgSO2d:uIjfMI7Lf7VAJZVOn/O2d
                MD5:B9D33F03AC07847C1A74E1816C865F0C
                SHA1:17AAEB63BE85042614E78C8E8221D711BFA65CB7
                SHA-256:29098E1774F6903A1DBBB85B669E95764F9493D95F097CAE0019768A69B0E879
                SHA-512:2A68292407E459486F88E982F7CA65ABFBA0AFAC5FB61C07E826BCC0C1C6F2F82D645C484C48DEC1DAAA521103D3F9F9CE5053BDC26C4A7AA1A89FFFB5329BF0
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="374622" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):71954
                Entropy (8bit):7.996617769952133
                Encrypted:true
                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                Malicious:false
                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.1356875516282012
                Encrypted:false
                SSDEEP:6:kKogna9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:l1DnLNkPlE99SNxAhUe/3
                MD5:643A04DE806F367F95FA2C2372EAFDCE
                SHA1:690912B614D8E6C79F4788579A7F7416B33ADC70
                SHA-256:51837F0C94CE19779EFD1BDC1E37E46F06002A3D7AB02248C8FED4970831E2D5
                SHA-512:75E0579CD381174B4F406F10AE5233186608B13CA54AB860732485169DFEB78061D047DDB575C4F3A20D816BD7B5F22803A948380C1F8D2D69E8E3ABD09710B4
                Malicious:false
                Preview:p...... .........m}.E...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):2459136
                Entropy (8bit):6.052474106868353
                Encrypted:false
                SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                MD5:90E744829865D57082A7F452EDC90DE5
                SHA1:833B178775F39675FA4E55EAB1032353514E1052
                SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                Malicious:false
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                C:\Windows\appcompat\Programs\Amcache.hve

                Download File
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):1835008
                Entropy (8bit):4.465312700633052
                Encrypted:false
                SSDEEP:6144:/IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbS:wXD94+WlLZMM6YFH1+S
                MD5:6D91DFAE854B49B66485D228E7E0BF0C
                SHA1:5662AFA897D945CD7F006DA86596DE6A8D3EBD95
                SHA-256:EDD8F426181C009364A73CF0F2BE9CA205BD9002CD4927F5BA159B503BA71523
                SHA-512:CAC1142CE303A9B7AE3404F49E9A5FB2B14CDAC761EB805D5FC2C3EB2C7BF37F0197CA1F3CD6AA2B80987D9FB3F70A7F2E702A1C4E7C27E15D50AAFAEBF02CDB
                Malicious:false
                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.O#.E.................................................................................................................................................................................................................................................................................................................................................5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.474701129164594
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:455'680 bytes
                MD5:2a042e0136d2125e744724a757f33950
                SHA1:d3f5304872ff4b795cde48914fa4d81768abba5d
                SHA256:65746b8a8fddc5dfb1602a3a5605cd039476bab5e66076bc729b987793986e0e
                SHA512:428e5cd961441fbfe4851dcef4431cad371673813028a631c5ca6cb7bda6d74d4f63b2d45689cd8d6c8cb6fc92dd1eb09bf4e307a93df1c9600c235951a4f1e8
                SSDEEP:6144:rAyIw/Vb6XOM8xYKn+TKRQGXHqF74UyM1nblXV8a0+lESfFa0l06qiXyf9RIR3pf:rAyI6b6XOMCT+B4Uyn6ESVlvqiKI5f
                TLSH:4DA4E01074828072D5A61A3306B4DBB95A7EB9344B618ECFA3D54F7EDF302C197325AB
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........bC..1C..1C..1...0R..1...0...1...0U..1.Y.0Q..1.Y.0V..1...0J..1C..1...1.Y.0...1.Z.0B..1.Z.0B..1.Z.0B..1RichC..1...............

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x40c1c7
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x6672C39D [Wed Jun 19 11:40:13 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:4d71c6568cd912923f8bc2058a57f65f

                Entrypoint Preview

                Instruction
                call 00007F702141E599h
                jmp 00007F702141DC4Fh
                push ebp
                mov ebp, esp
                mov eax, dword ptr [ebp+08h]
                push esi
                mov ecx, dword ptr [eax+3Ch]
                add ecx, eax
                movzx eax, word ptr [ecx+14h]
                lea edx, dword ptr [ecx+18h]
                add edx, eax
                movzx eax, word ptr [ecx+06h]
                imul esi, eax, 28h
                add esi, edx
                cmp edx, esi
                je 00007F702141DDEBh
                mov ecx, dword ptr [ebp+0Ch]
                cmp ecx, dword ptr [edx+0Ch]
                jc 00007F702141DDDCh
                mov eax, dword ptr [edx+08h]
                add eax, dword ptr [edx+0Ch]
                cmp ecx, eax
                jc 00007F702141DDDEh
                add edx, 28h
                cmp edx, esi
                jne 00007F702141DDBCh
                xor eax, eax
                pop esi
                pop ebp
                ret
                mov eax, edx
                jmp 00007F702141DDCBh
                push esi
                call 00007F702141E89Fh
                test eax, eax
                je 00007F702141DDF2h
                mov eax, dword ptr fs:[00000018h]
                mov esi, 0046F3D4h
                mov edx, dword ptr [eax+04h]
                jmp 00007F702141DDD6h
                cmp edx, eax
                je 00007F702141DDE2h
                xor eax, eax
                mov ecx, edx
                lock cmpxchg dword ptr [esi], ecx
                test eax, eax
                jne 00007F702141DDC2h
                xor al, al
                pop esi
                ret
                mov al, 01h
                pop esi
                ret
                push ebp
                mov ebp, esp
                cmp dword ptr [ebp+08h], 00000000h
                jne 00007F702141DDD9h
                mov byte ptr [0046F3D8h], 00000001h
                call 00007F702141E095h
                call 00007F7021420EE2h
                test al, al
                jne 00007F702141DDD6h
                xor al, al
                pop ebp
                ret
                call 00007F702142E4A7h
                test al, al
                jne 00007F702141DDDCh
                push 00000000h
                call 00007F7021420EE9h
                pop ecx
                jmp 00007F702141DDBBh
                mov al, 01h
                pop ebp
                ret
                push ebp
                mov ebp, esp
                cmp byte ptr [0046F3D9h], 00000000h
                je 00007F702141DDD6h
                mov al, 01h

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x38dc00x4c.rdata
                IMAGE_DIRECTORY_ENTRY_IMPORT0x38e0c0x64.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x206c.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x36cd80x1c.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x36c180x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x2e0000x160.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x2c3600x2c40048ebe9f7db94e39cc36c31d49f896c3cFalse0.5570930437853108data6.657127142960566IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x2e0000xb5fc0xb6000cf0f9b30a372925a0871d8a6edaf1b5False0.42301253434065933data5.04202350165611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x3a0000x35fe80x34e004fc4cf94d711a2509e54fb9c025c868eFalse0.9842780363475178data7.983738010153567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .bSs0x700000x4ac0x600f929bf25d4c42bd01cdad568b5fe4d8aFalse0.4791666666666667data5.111291762588542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .reloc0x710000x206c0x22003e1192bfa628a7fe9ce4ea609327c4e6False0.7296645220588235data6.424471018903299IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Imports

                DLLImport
                GDI32.dllSetPixel
                USER32.dllGetDC, DestroyWindow, ReleaseDC
                ADVAPI32.dllGetNumberOfEventLogRecords, DeleteAce
                KERNEL32.dllWriteConsoleW, GetProcessHeap, CreateFileW, HeapSize, CloseHandle, WaitForSingleObject, CreateThread, VirtualAlloc, GetConsoleWindow, GetCurrentThreadId, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetStdHandle, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEndOfFile

                Exports

                NameOrdinalAddress
                AsuxuiHAuiiua10x409310

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 19, 2024 14:39:59.852648020 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:39:59.852751017 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:39:59.852835894 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:39:59.887254000 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:39:59.887291908 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.527199030 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.527314901 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.591753006 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.591808081 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.592763901 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.592848063 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.594978094 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.636522055 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.779308081 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.779371977 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.779407978 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.779475927 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.779525042 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.779550076 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.779562950 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.779639959 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.781646013 CEST49731443192.168.2.4149.154.167.99
                Jun 19, 2024 14:40:00.781682014 CEST44349731149.154.167.99192.168.2.4
                Jun 19, 2024 14:40:00.787695885 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:00.792666912 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:00.792748928 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:00.793065071 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:00.797921896 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:01.438410044 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:01.438441992 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:01.438474894 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:01.438524961 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:02.400815964 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:02.405736923 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:02.592015982 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:02.592123032 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:02.592550993 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:02.597348928 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:03.043494940 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:03.043572903 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:03.047522068 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:03.052671909 CEST900049738162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:03.052781105 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:03.053028107 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:03.058120012 CEST900049738162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:03.684803963 CEST900049738162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:03.684912920 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:03.692576885 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:03.697453022 CEST900049738162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:03.731571913 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:03.738267899 CEST900049738162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:04.312442064 CEST900049738162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:04.312650919 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.313782930 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.314119101 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.319207907 CEST900049733162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:04.319266081 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:04.319297075 CEST497339000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.319340944 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.319617987 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.325268030 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:04.976289988 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:04.976355076 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.976794958 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.978588104 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:04.981465101 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:04.983596087 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:05.671540976 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:05.671556950 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:05.671566010 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:05.671673059 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:05.673285007 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:05.673738003 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:05.680844069 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:05.680927992 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:05.681200027 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:05.681315899 CEST900049738162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:05.681360960 CEST497389000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:05.685951948 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.321352959 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.321444035 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.321836948 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.326610088 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.347815990 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.352690935 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.949598074 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.949621916 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.949632883 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.949640989 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.949646950 CEST900049742162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.949807882 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.949807882 CEST497429000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.951541901 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.952148914 CEST497449000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.956809998 CEST900049741162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.956892014 CEST497419000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.958511114 CEST900049744162.55.53.18192.168.2.4
                Jun 19, 2024 14:40:06.958599091 CEST497449000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.958859921 CEST497449000192.168.2.4162.55.53.18
                Jun 19, 2024 14:40:06.963690996 CEST900049744162.55.53.18192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 19, 2024 14:39:59.810946941 CEST5039453192.168.2.41.1.1.1
                Jun 19, 2024 14:39:59.820652962 CEST53503941.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jun 19, 2024 14:39:59.810946941 CEST192.168.2.41.1.1.10x5593Standard query (0)t.meA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jun 19, 2024 14:39:59.820652962 CEST1.1.1.1192.168.2.40x5593No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • t.me

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:08:39:58
                Start date:19/06/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0xfd0000
                File size:455'680 bytes
                MD5 hash:2A042E0136D2125E744724A757F33950
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1828525742.000000000100A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:08:39:59
                Start date:19/06/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Imagebase:0x3a0000
                File size:65'440 bytes
                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:08:39:59
                Start date:19/06/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Imagebase:0x330000
                File size:65'440 bytes
                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:08:39:59
                Start date:19/06/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Imagebase:0x7f0000
                File size:65'440 bytes
                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000003.00000002.2942073770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2942073770.0000000000453000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:false

                General

                Target ID:6
                Start time:08:39:59
                Start date:19/06/2024
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 336
                Imagebase:0xf50000
                File size:483'680 bytes
                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                No disassembly