Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1466182
MD5:	e3e6cf9bb53c398d2f75398923f91c11
SHA1:	9af3600fd9befae3aa830e80d9fb2f513c100ab4
SHA256:	eb55557a69adf16683fbc5f5fd822d8c3e338298a98e0769bdec8a7c5787a75d
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://49.13.159.121:9000/vcruntime140.dllh/Q	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllEdge	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/MW	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dlltQ	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/(	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dll7	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/0	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/B	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/D	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/KD	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll0.15;	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/sqlt.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllets	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dlloft	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dll2	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/soft	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199707802586	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllL	Avira URL Cloud: Label: malware
Source: https://t.me/g067n	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/l	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll~	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dllEdge	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dllAppData	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/ss3.dll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "93851f7e951a018e4f54b8ea574c0810"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: I8S%
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: usernameField
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: a GX Stable
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: uctName
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: layVersion
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: sktop\
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: F783D5D3EF8C*
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: T=@?VDX;W:R1J )M$
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: #5EG P%:{
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ystemInfo
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 304FDQ8L\h$
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: %hu/%hu
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ero\wallet.k9ys

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00407E41 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00407E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_0041302D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00407DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00407DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	1_2_0040AB80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\labzvp8d\output.pdb source: file.exe
Source:	Binary string: C:\labzvp8d\output.pdb' source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462D95 FindFirstFileExW,	0_2_00462D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0046317F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor	URLs: https://t.me/g067n

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49726 -> 49.13.159.121:9000

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004058C4 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_004058C4

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: t.me

Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121/
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.0000000001117000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/(
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/0
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/B
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/D
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/KD
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/MW
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dll7
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dllAppData
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/l
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mW
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mozglue.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll0.15;
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dllEdge
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll~
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dlloft
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/soft
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dll2
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllEdge
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllL
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/sqlt.dll
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/ss3.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dll
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllets
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllh/Q
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dlltQ
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:900024
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000a4f35rosoft
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000a4f35txtft
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000al
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000alMicrosoft
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000ming
Source: GIIIEC.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GIIIEC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n4G
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nNG
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: GIIIEC.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIIIEC.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49725 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00413160 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_00413160

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046A00C	0_2_0046A00C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E184	0_2_0043E184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045C2FF	0_2_0045C2FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C2A6	0_2_0043C2A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C5EE	0_2_0043C5EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00452595	0_2_00452595
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E5A5	0_2_0043E5A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C945	0_2_0043C945
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E9D5	0_2_0043E9D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A9E4	0_2_0045A9E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044C98E	0_2_0044C98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041EC10	0_2_0041EC10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00468CE3	0_2_00468CE3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CC8D	0_2_0043CC8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D01B	0_2_0043D01B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D3B8	0_2_0043D3B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044D461	0_2_0044D461
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044F4E0	0_2_0044F4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401550	0_2_00401550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D746	0_2_0043D746
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F3770	0_2_003F3770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004778F0	0_2_004778F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044FA10	0_2_0044FA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043DAAB	0_2_0043DAAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044FE50	0_2_0044FE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043DE1F	0_2_0043DE1F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00423FD4	0_2_00423FD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041ECEC	1_2_0041ECEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041E919	1_2_0041E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041EEC1	1_2_0041EEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041F6CF	1_2_0041F6CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC64CF0	1_2_1FC64CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC512A8	1_2_1FC512A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52AA9	1_2_1FC52AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FDB9CC0	1_2_1FDB9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5292D	1_2_1FC5292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC81C50	1_2_1FC81C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52018	1_2_1FC52018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD79A20	1_2_1FD79A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD05940	1_2_1FD05940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51C9E	1_2_1FC51C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD0D6D0	1_2_1FD0D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF9690	1_2_1FCF9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5D4C0	1_2_1FC5D4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FDB9430	1_2_1FDB9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53580	1_2_1FC53580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE53B0	1_2_1FCE53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FE2D209	1_2_1FE2D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD75040	1_2_1FD75040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC69000	1_2_1FC69000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC8CE10	1_2_1FC8CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78D2A	1_2_1FC78D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD54A60	1_2_1FD54A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5C800	1_2_1FC5C800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51EF1	1_2_1FC51EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78763	1_2_1FC78763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCB4760	1_2_1FCB4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE8760	1_2_1FCE8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78680	1_2_1FC78680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD90480	1_2_1FD90480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53AB2	1_2_1FC53AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD8120	1_2_1FCD8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD0090	1_2_1FCD0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD78030	1_2_1FD78030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5290A	1_2_1FC5290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7BAB0	1_2_1FC7BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5251D	1_2_1FC5251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC87810	1_2_1FC87810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC83370	1_2_1FC83370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5F160	1_2_1FC5F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5174E	1_2_1FC5174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCB2EE0	1_2_1FCB2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC96E80	1_2_1FC96E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FE2AEBE	1_2_1FE2AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC519DD	1_2_1FC519DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5EA80	1_2_1FC5EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5AA40	1_2_1FC5AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD369C0	1_2_1FD369C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD4A940	1_2_1FD4A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD6A900	1_2_1FD6A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5481D	1_2_1FC5481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53E3B	1_2_1FC53E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD8E800	1_2_1FD8E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC666C0	1_2_1FC666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD4A590	1_2_1FD4A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7A560	1_2_1FC7A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC547AF	1_2_1FC547AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5209F	1_2_1FC5209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCDA0B0	1_2_1FCDA0B0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00458C74 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041C798 appears 117 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00446D18 appears 32 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041D150 appears 67 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041C7CB appears 76 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC53AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FE306B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC51F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC5395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00404239 appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC51C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC5415B appears 173 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/13@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041246A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_0041246A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004129BF CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

1_2_004129BF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\F53RW6MZ.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6132

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a27284b7-27eb-4a5d-b9da-f4aa1a349191

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: CAEHJE.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT name, value FROM autofill;

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\labzvp8d\output.pdb source: file.exe
Source:	Binary string: C:\labzvp8d\output.pdb' source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0041B050

PE file contains sections with non-standard names

Source: sqlt[1].dll.1.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C766 push ecx; ret	0_2_0041C779
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D1A0 push ecx; ret	0_2_0041D1B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00421EF5 push ecx; ret	1_2_00421F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51BF9 push ecx; ret	1_2_1FDF4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC510C8 push ecx; ret	1_2_1FE53552

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041B050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 6.3 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462D95 FindFirstFileExW,	0_2_00462D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0046317F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411F21 GetSystemInfo,wsprintfA,

1_2_00411F21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: KEGCBK.1.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367264206.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: KEGCBK.1.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: KEGCBK.1.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: KEGCBK.1.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: KEGCBK.1.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: KEGCBK.1.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KEGCBK.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: KEGCBK.1.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: KEGCBK.1.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KEGCBK.1.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: KEGCBK.1.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: KEGCBK.1.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KEGCBK.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: KEGCBK.1.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: KEGCBK.1.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: KEGCBK.1.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KEGCBK.1.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: KEGCBK.1.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00462799 IsDebuggerPresent,

0_2_00462799

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041B050

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A686 mov eax, dword ptr fs:[00000030h]	0_2_0045A686
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A4DF mov eax, dword ptr fs:[00000030h]	0_2_0045A4DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A565 mov eax, dword ptr fs:[00000030h]	0_2_0045A565
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A522 mov eax, dword ptr fs:[00000030h]	0_2_0045A522
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A6CA mov eax, dword ptr fs:[00000030h]	0_2_0045A6CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A70E mov eax, dword ptr fs:[00000030h]	0_2_0045A70E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A73F mov eax, dword ptr fs:[00000030h]	0_2_0045A73F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004557D9 mov ecx, dword ptr fs:[00000030h]	0_2_004557D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041ACF3 mov eax, dword ptr fs:[00000030h]	1_2_0041ACF3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_004058C4

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004469C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004469C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CEEF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041CEEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D07F SetUnhandledExceptionFilter,	0_2_0041D07F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D1B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041D1B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00421C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00423DCD SetUnhandledExceptionFilter,	1_2_00423DCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042224F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC542AF SetUnhandledExceptionFilter,	1_2_1FC542AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_1FC52C8E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00FF018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004138BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		1_2_004138BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004137BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		1_2_004137BD

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 425000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D42008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041CBB5 cpuid

0_2_0041CBB5

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00458672
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00458803
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_003FE9AF
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00466F54
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0046714F
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0045912E
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004671F6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0046725F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004672FA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00467385
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004675D8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00467701
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00467807
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,	0_2_0041B80D
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004678D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00411D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1FC52112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1FC52112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_1FE2FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_1FC5298C

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041CDC4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0041CDC4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411BEC GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00411BEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00462067 GetTimeZoneInformation,

0_2_00462067

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.48ab00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.48ab00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.48ab00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.48ab00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	1_2_1FCCDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCD1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC65C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1FC65C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1FCCDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD7D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD7D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF5910 sqlite3_mprintf,sqlite3_bind_int64,	1_2_1FCF5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD2D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD2D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCF55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD714D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD714D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD7D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD7D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD0D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD0D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCF51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	1_2_1FCE9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC80FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1FC80FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD34D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1FD34D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88CB0 sqlite3_bind_zeroblob,	1_2_1FC88CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_1FC88970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC64820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	1_2_1FC64820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCA06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_1FCA06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	1_2_1FC78680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCA8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	1_2_1FCA8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88430 sqlite3_bind_int64,	1_2_1FC88430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCC8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	1_2_1FCC8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD34140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_1FD34140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC87810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FC87810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD337E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD337E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD13770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD13770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	1_2_1FC7B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCAEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	1_2_1FCAEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC666C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FC666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	1_2_1FCCA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCBE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	1_2_1FCBE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCCE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCBE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FCBE090

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
49.13.159.121	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

Contacted Domains

Name	IP	Active
t.me	149.154.167.99	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199707802586	true	Avira URL Cloud: malware	unknown
https://t.me/g067n	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://49.13.159.121:9000/vcruntime140.dllh/Q	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllEdge	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/MW	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dlltQ	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/(	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dll7	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/0	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/B	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/D	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/KD	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll0.15;	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/sqlt.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllets	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dlloft	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dll2	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/soft	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199707802586	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllL	Avira URL Cloud: Label: malware
Source: https://t.me/g067n	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/l	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll~	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dllEdge	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dllAppData	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/ss3.dll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "93851f7e951a018e4f54b8ea574c0810"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: I8S%
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: usernameField
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: a GX Stable
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: uctName
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: layVersion
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: sktop\
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: F783D5D3EF8C*
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: T=@?VDX;W:R1J )M$
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: #5EG P%:{
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ystemInfo
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 304FDQ8L\h$
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: %hu/%hu
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ero\wallet.k9ys

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00407E41 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00407E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_0041302D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00407DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00407DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	1_2_0040AB80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\labzvp8d\output.pdb source: file.exe
Source:	Binary string: C:\labzvp8d\output.pdb' source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462D95 FindFirstFileExW,	0_2_00462D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0046317F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor	URLs: https://t.me/g067n

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49726 -> 49.13.159.121:9000

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_004058C4

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: t.me

Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121/
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.0000000001117000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/(
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/0
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/B
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/D
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/KD
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/MW
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dll7
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dllAppData
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/l
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mW
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mozglue.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll0.15;
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dllEdge
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll~
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dlloft
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/soft
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dll2
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllEdge
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllL
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/sqlt.dll
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/ss3.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dll
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllets
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllh/Q
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dlltQ
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:900024
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000a4f35rosoft
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000a4f35txtft
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000al
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000alMicrosoft
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000ming
Source: GIIIEC.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GIIIEC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n4G
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nNG
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: GIIIEC.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIIIEC.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49725 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_00413160

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046A00C	0_2_0046A00C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E184	0_2_0043E184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045C2FF	0_2_0045C2FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C2A6	0_2_0043C2A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C5EE	0_2_0043C5EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00452595	0_2_00452595
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E5A5	0_2_0043E5A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C945	0_2_0043C945
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E9D5	0_2_0043E9D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A9E4	0_2_0045A9E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044C98E	0_2_0044C98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041EC10	0_2_0041EC10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00468CE3	0_2_00468CE3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CC8D	0_2_0043CC8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D01B	0_2_0043D01B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D3B8	0_2_0043D3B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044D461	0_2_0044D461
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044F4E0	0_2_0044F4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401550	0_2_00401550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D746	0_2_0043D746
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F3770	0_2_003F3770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004778F0	0_2_004778F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044FA10	0_2_0044FA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043DAAB	0_2_0043DAAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044FE50	0_2_0044FE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043DE1F	0_2_0043DE1F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00423FD4	0_2_00423FD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041ECEC	1_2_0041ECEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041E919	1_2_0041E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041EEC1	1_2_0041EEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041F6CF	1_2_0041F6CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC64CF0	1_2_1FC64CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC512A8	1_2_1FC512A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52AA9	1_2_1FC52AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FDB9CC0	1_2_1FDB9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5292D	1_2_1FC5292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC81C50	1_2_1FC81C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52018	1_2_1FC52018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD79A20	1_2_1FD79A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD05940	1_2_1FD05940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51C9E	1_2_1FC51C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD0D6D0	1_2_1FD0D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF9690	1_2_1FCF9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5D4C0	1_2_1FC5D4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FDB9430	1_2_1FDB9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53580	1_2_1FC53580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE53B0	1_2_1FCE53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FE2D209	1_2_1FE2D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD75040	1_2_1FD75040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC69000	1_2_1FC69000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC8CE10	1_2_1FC8CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78D2A	1_2_1FC78D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD54A60	1_2_1FD54A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5C800	1_2_1FC5C800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51EF1	1_2_1FC51EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78763	1_2_1FC78763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCB4760	1_2_1FCB4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE8760	1_2_1FCE8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78680	1_2_1FC78680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD90480	1_2_1FD90480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53AB2	1_2_1FC53AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD8120	1_2_1FCD8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD0090	1_2_1FCD0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD78030	1_2_1FD78030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5290A	1_2_1FC5290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7BAB0	1_2_1FC7BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5251D	1_2_1FC5251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC87810	1_2_1FC87810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC83370	1_2_1FC83370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5F160	1_2_1FC5F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5174E	1_2_1FC5174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCB2EE0	1_2_1FCB2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC96E80	1_2_1FC96E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FE2AEBE	1_2_1FE2AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC519DD	1_2_1FC519DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5EA80	1_2_1FC5EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5AA40	1_2_1FC5AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD369C0	1_2_1FD369C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD4A940	1_2_1FD4A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD6A900	1_2_1FD6A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5481D	1_2_1FC5481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53E3B	1_2_1FC53E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD8E800	1_2_1FD8E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC666C0	1_2_1FC666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD4A590	1_2_1FD4A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7A560	1_2_1FC7A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC547AF	1_2_1FC547AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5209F	1_2_1FC5209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCDA0B0	1_2_1FCDA0B0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00458C74 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041C798 appears 117 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00446D18 appears 32 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041D150 appears 67 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041C7CB appears 76 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC53AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FE306B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC51F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC5395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00404239 appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC51C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC5415B appears 173 times

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/13@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041246A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_0041246A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004129BF CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

1_2_004129BF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\F53RW6MZ.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6132

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a27284b7-27eb-4a5d-b9da-f4aa1a349191

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: CAEHJE.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT name, value FROM autofill;

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\labzvp8d\output.pdb source: file.exe
Source:	Binary string: C:\labzvp8d\output.pdb' source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041B050

PE file contains sections with non-standard names

Source: sqlt[1].dll.1.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C766 push ecx; ret	0_2_0041C779
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D1A0 push ecx; ret	0_2_0041D1B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00421EF5 push ecx; ret	1_2_00421F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51BF9 push ecx; ret	1_2_1FDF4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC510C8 push ecx; ret	1_2_1FE53552

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041B050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 6.3 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462D95 FindFirstFileExW,	0_2_00462D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0046317F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411F21 GetSystemInfo,wsprintfA,

1_2_00411F21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: KEGCBK.1.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367264206.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: KEGCBK.1.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: KEGCBK.1.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: KEGCBK.1.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: KEGCBK.1.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: KEGCBK.1.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KEGCBK.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: KEGCBK.1.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: KEGCBK.1.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KEGCBK.1.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: KEGCBK.1.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: KEGCBK.1.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KEGCBK.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: KEGCBK.1.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: KEGCBK.1.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: KEGCBK.1.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KEGCBK.1.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: KEGCBK.1.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00462799 IsDebuggerPresent,

0_2_00462799

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041B050

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A686 mov eax, dword ptr fs:[00000030h]	0_2_0045A686
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A4DF mov eax, dword ptr fs:[00000030h]	0_2_0045A4DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A565 mov eax, dword ptr fs:[00000030h]	0_2_0045A565
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A522 mov eax, dword ptr fs:[00000030h]	0_2_0045A522
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A6CA mov eax, dword ptr fs:[00000030h]	0_2_0045A6CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A70E mov eax, dword ptr fs:[00000030h]	0_2_0045A70E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A73F mov eax, dword ptr fs:[00000030h]	0_2_0045A73F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004557D9 mov ecx, dword ptr fs:[00000030h]	0_2_004557D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041ACF3 mov eax, dword ptr fs:[00000030h]	1_2_0041ACF3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_004058C4

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004469C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004469C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CEEF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041CEEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D07F SetUnhandledExceptionFilter,	0_2_0041D07F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D1B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041D1B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00421C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00423DCD SetUnhandledExceptionFilter,	1_2_00423DCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042224F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC542AF SetUnhandledExceptionFilter,	1_2_1FC542AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_1FC52C8E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_00FF018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004138BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		1_2_004138BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004137BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		1_2_004137BD

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 425000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D42008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041CBB5 cpuid

0_2_0041CBB5

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00458672
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00458803
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_003FE9AF
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00466F54
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0046714F
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0045912E
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004671F6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0046725F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004672FA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00467385
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004675D8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00467701
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00467807
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,	0_2_0041B80D
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004678D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00411D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1FC52112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1FC52112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_1FE2FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_1FC5298C

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041CDC4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0041CDC4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411BEC GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00411BEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00462067 GetTimeZoneInformation,

0_2_00462067

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.48ab00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.48ab00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.48ab00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.48ab00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	1_2_1FCCDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCD1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC65C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1FC65C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1FCCDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD7D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD7D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF5910 sqlite3_mprintf,sqlite3_bind_int64,	1_2_1FCF5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD2D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD2D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCF55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD714D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD714D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD7D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD7D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD0D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD0D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCF51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	1_2_1FCE9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC80FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1FC80FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD34D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1FD34D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88CB0 sqlite3_bind_zeroblob,	1_2_1FC88CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_1FC88970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC64820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	1_2_1FC64820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCA06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_1FCA06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	1_2_1FC78680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCA8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	1_2_1FCA8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88430 sqlite3_bind_int64,	1_2_1FC88430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCC8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	1_2_1FCC8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD34140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_1FD34140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC87810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FC87810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD337E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD337E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD13770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD13770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	1_2_1FC7B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCAEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	1_2_1FCAEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC666C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FC666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	1_2_1FCCA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCBE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	1_2_1FCBE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCCE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCBE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FCBE090

ID:	1466182
Product:	CloudBasic
Start time:	16:39:09
Start date:	02.07.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e3e6cf9bb53c398d2f75398923f91c11
SHA1:	9af3600fd9befae3aa830e80d9fb2f513c100ab4
SHA256:	eb55557a69adf16683fbc5f5fd822d8c3e338298a98e0769bdec8a7c5787a75d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\GIIIECBGDHJJ\CAEHJE	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\GIIIECBGDHJJ\EBKEHJ	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\GIIIECBGDHJJ\GHDHJE	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	9D46F142BBCF25D0D495FF1F3A7609D3	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
C:\ProgramData\GIIIECBGDHJJ\GIIIEC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	429F49156428FD53EB06FC82088FD324	560E48154B4611838CD4E9DF4C14D0F9840F06AF	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
C:\ProgramData\GIIIECBGDHJJ\IJKKEH	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\GIIIECBGDHJJ\JJJKFB	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\GIIIECBGDHJJ\KEGCBK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_50842b9be826d8ed7939945d23cf3e974f7f0c4_56460358_2c7f8a6a-34e8-4b3b-a34b-55f9ed7afc39\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	ACF27D4D1C066AEB19362C7426E7F269	01E8F9567523F3C36908A3816BFA2BCC406DC6F9	70BD6C7A6FEBE84197E89C554F90ED3645DE536EF227E91C06118513FE880100
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF16E.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Jul 2 14:40:06 2024, 0x1205a4 type	992B32F54EB63146BDBC90576EF593A0	E58C548A267CBB410D5DE838FEAF7C0BA63ACC49	116AD52BDB2B0A22AC090F39C315B0E8A294F11753DF440DB0C885385465395D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF269.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	725829EA971D320A82445618ED5C5923	72CEDB71C794DE62732ECB962D20223FB5EBB9D7	2D4B0DD90CDDAC2C9B5DEF76DB34C42E180E1F3D8DED892C9C7F72E02568D5E0
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF299.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	18E0016373781FC08FC963AB4BE952EF	7E6189C0CC51AA7214C816A4ECFB57C2161E1E17	4332DBCF0CE0468797A69F0C963668B3AD79018040E7EB63349CAC1ED7390D43
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	2BC1F7B211A0DCFFEBFA04B27A55B639	7040A99F1ECFB0F77F450562191B031674BFADE2	EFA30DC27BB45F5FA25D0CB5C393FA685B13E3FF0A8149B7F340F204958231A2

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by