Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1519653
MD5: 4453d7bc66e29c48ed6495bfa820e5b5
SHA1: da622e588d635bbadd7ff04ad3df5db191ff0549
SHA256: 941e7002f11290e3ed9dd99d8cc0abc62f6cf69b923ae30b89741579854a8a70
Tags: exeuser-Bitsight
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://5.75.211.162/sqlp.dllg Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllb Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/inventory/ Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869 Avira URL Cloud: Label: malware
Source: https://5.75.211.162/% Avira URL Cloud: Label: malware
Source: https://5.75.211.162 Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dll Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dlls.exe Avira URL Cloud: Label: malware
Source: https://5.75.211.162/E Avira URL Cloud: Label: malware
Source: https://5.75.211.162/2 Avira URL Cloud: Label: malware
Source: https://5.75.211.162/V Avira URL Cloud: Label: malware
Source: https://5.75.211.162/M Avira URL Cloud: Label: malware
Source: https://5.75.211.162/c Avira URL Cloud: Label: malware
Source: https://5.75.211.162/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b26735cbe8ca9e75712ffe3aa40c4a60"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\rje\tg\jv2je3\obj\Release\ojc.pdb source: file.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA, 3_2_00415142
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr fs:[00000030h] 3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-04h], eax 3_2_004014AD

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49744 -> 5.75.211.162:443
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.4:49744
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.4:49743
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199780418869
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 5.75.211.162 5.75.211.162
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 5.75.211.162:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 5.75.211.162:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 5.75.211.162:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 5.75.211.162:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 5.75.211.162:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 5.75.211.162:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIIJDHJEGIECBGHIJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFCAAEGDBKJJKECBKFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00406963 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle, 3_2_00406963
Source: global traffic HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: file.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: file.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: file.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.3.dr String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000058A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/%
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/2
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/E
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/M
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/V
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/c
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000055D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/sqlp.dllb
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/sqlp.dllg
Source: RegAsm.exe, 00000003.00000002.2183942555.00000000005A1000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162/sqlp.dlls.exe
Source: RegAsm.exe, 00000003.00000002.2183942555.0000000000582000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://5.75.211.162BKFCB
Source: 76561199780418869[1].htm.3.dr String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000483000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://help.steampowered.com/en/
Source: 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869H
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/
Source: 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/ae5ed
Source: file.exe String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2183942555.000000000048B000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.3.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.4:49740 version: TLS 1.2

System Summary
barindex
.NET source code contains very large array initializations
Source: file.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 393216
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02330C40 0_2_02330C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042D933 3_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042D1C3 3_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041C472 3_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042D561 3_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041950A 3_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042DD1B 3_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042CD2E 3_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041B712 3_2_0041B712
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004104E7 appears 36 times
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2188
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1773322212.000000000076E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameVQP.exeD vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/9@1/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004114A5 LdrInitializeThunk,CreateToolhelp32Snapshot,Process32First,Process32Next, 3_2_004114A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,VariantClear, 3_2_00411807
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Users\user\Desktop\file.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5676
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\delays.tmp Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2188
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\rje\tg\jv2je3\obj\Release\ojc.pdb source: file.exe
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042582E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_0042582E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042F142 push ecx; ret 3_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00422D3B push esi; ret 3_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041DDB5 push ecx; ret 3_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00432715 push 0000004Ch; iretd 3_2_00432726
Source: file.exe Static PE information: section name: .text entropy: 7.995811814167676
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.file.exe.33d5570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.33d5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe Binary or memory string: API_LOG.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 23D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 43D0000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos, 3_2_0040180D
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5020 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA, 3_2_00415142
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00410FBA GetSystemInfo, 3_2_00410FBA
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW A
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx{
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041BC21 malloc,SetFilePointer,LdrInitializeThunk,CreateFileA,CreateFileMappingA,MapViewOfFile,CloseHandle, 3_2_0041BC21
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0041D016
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042582E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_0042582E
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h] 3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h] 3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h] 3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041859A mov eax, dword ptr fs:[00000030h] 3_2_0041859A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA, 3_2_00410C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042762E SetUnhandledExceptionFilter, 3_2_0042762E
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR
.NET source code references suspicious native API functions
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_023D212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_023D212D
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 931008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040111D cpuid 3_2_0040111D
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: LdrInitializeThunk,GetLocaleInfoA, 3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: LdrInitializeThunk,GetLocaleInfoW,LdrInitializeThunk,GetLocaleInfoW,GetACP, 3_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 3_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 3_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: LdrInitializeThunk,GetLocaleInfoW,_GetPrimaryLen,_strlen, 3_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: ___getlocaleinfo,__malloc_crt,LdrInitializeThunk,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 3_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,LdrInitializeThunk,__calloc_crt,GetLocaleInfoW,_free,LdrInitializeThunk,GetLocaleInfoW, 3_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 3_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: EnumSystemLocalesA, 3_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 3_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 3_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,LdrInitializeThunk,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _strlen,LdrInitializeThunk,_GetPrimaryLen,EnumSystemLocalesA, 3_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: _strlen,_strlen,LdrInitializeThunk,_GetPrimaryLen,EnumSystemLocalesA, 3_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 3_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetLocaleInfoA, 3_2_0042E6A4
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime, 3_2_0041C0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA, 3_2_00410C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00410D2E GetTimeZoneInformation, 3_2_00410D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000003.00000002.2185117153.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2185117153.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.33d5570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.33d5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.file.exe.33d5570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.33d5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2183942555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1775378329.00000000033D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5676, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519653 Sample: file.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 24 steamcommunity.com 2->24 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Antivirus detection for URL or domain 2->34 36 8 other signatures 2->36 8 file.exe 2 2->8         started        signatures3 process4 signatures5 38 Contains functionality to inject code into remote processes 8->38 40 Writes to foreign memory regions 8->40 42 Allocates memory in foreign processes 8->42 44 Injects a PE file into a foreign processes 8->44 11 RegAsm.exe 92 8->11         started        15 conhost.exe 8->15         started        17 RegAsm.exe 8->17         started        process6 dnsIp7 26 5.75.211.162, 443, 49740, 49741 HETZNER-ASDE Germany 11->26 28 steamcommunity.com 104.102.49.254, 443, 49739 AKAMAI-ASUS United States 11->28 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->46 19 WerFault.exe 22 16 11->19         started        signatures8 process9 file10 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->22 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
5.75.211.162
 unknown Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199780418869 true
  • Avira URL Cloud: malware
 unknown
https://5.75.211.162/ true
  • Avira URL Cloud: malware
 unknown