Loading ...

Play interactive tourEdit tour

Analysis Report Documents98376532453.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:200127
Start date:10.01.2020
Start time:08:26:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 19m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Documents98376532453.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@51/50@4/1
EGA Information:
  • Successful, ratio: 83.3%
HDC Information:
  • Successful, ratio: 1.1% (good quality ratio 0.2%)
  • Quality average: 14.7%
  • Quality standard deviation: 30.1%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 296
  • Number of non-executed functions: 164
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MusNotification.exe, dllhost.exe, TiWorker.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, TrustedInstaller.exe
  • Excluded IPs from analysis (whitelisted): 40.90.22.188, 40.90.22.187, 40.90.22.192, 93.184.220.29, 65.52.108.90, 51.143.111.7, 13.68.93.109, 52.156.204.185, 52.155.169.137, 204.79.197.200, 13.107.21.200, 40.69.216.73, 23.210.249.93, 67.27.159.254, 67.27.159.126, 8.248.141.254, 8.253.95.120, 8.248.119.254, 13.107.4.50, 67.26.83.254, 67.27.157.254, 67.27.158.254, 8.248.123.254, 205.185.216.42, 205.185.216.10, 52.142.119.134, 8.253.204.121
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, cs9.wac.phicdn.net, lgin.msa.trafficmanager.net, geo-prod.dodsp.mp.microsoft.com.nsatc.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, 3.tlu.dl.delivery.mp.microsoft.com, fe3.delivery.dsp.mp.microsoft.com.nsatc.net, www.microsoft.com-c-3.edgekey.net, geo-prod.do.dsp.mp.microsoft.com, ocsp.digicert.com, login.live.com, tsfe.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, sls.update.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, www.bing.com, dual-a-0001.a-msedge.net, sls.update.microsoft.com.akadns.net, 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, cds.d2s7q6s2.hwcdn.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, sls.emea.update.microsoft.com.akadns.net, fe3.delivery.mp.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, array611-prod.do.dsp.mp.microsoft.com, au.c-0001.c-msedge.net, www.microsoft.com, e13678.dspb.akamaiedge.net, tsfe.trafficshaping.dsp.mp.microsoft.com
  • Execution Graph export aborted for target Documents98376532453.exe, PID 4480 because there are no executed function
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111Bootkit1Startup Items1Software Packing1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted111Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API11Startup Items1Access Token Manipulation1Disabling Security Tools1Credentials in Files1Security Software Discovery231Remote ServicesEmail Collection1Exfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesCommand-Line Interface1Registry Run Keys / Startup Folder2Process Injection12Deobfuscate/Decode Files or Information11Input Capture1File and Directory Discovery3Windows Remote ManagementInput Capture1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskHidden Files and Directories1Application Shimming1Obfuscated Files or Information2Credentials in Registry1System Information Discovery19Logon ScriptsClipboard Data2Data EncryptedStandard Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceApplication Shimming1New Service1Masquerading121Account ManipulationVirtualization/Sandbox Evasion14Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceNew Service1New ServiceHidden Files and Directories1Brute ForceProcess Discovery4Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion14Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection12Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationDLL Side-Loading11KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Antivirus detection for sampleShow sources
Source: Documents98376532453.exeAvira: detection malicious, Label: HEUR/AGEN.1032623
Found malware configurationShow sources
Source: vbc.exe.4228.29.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: http://pomf.cat/upload.phpVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Documents98376532453.exeVirustotal: Detection: 77%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.dllJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1r52hgs4.dllJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Documents98376532453.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 9.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 16.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,15_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,15_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,18_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,18_2_00408CAC
Enumerates the file systemShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WCN\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: mail.ifffco.me replaycode: Name error (3)
Found strings which match to known social media urlsShow sources
Source: vbc.exe, 0000000F.00000003.1807696908.0000000000C89000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.1821790504.0000000000C89000.00000004.00000040.sdmp, vbc.exe, 0000001A.00000003.2234012869.00000000001F9000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000003.2249932312.0000000000AD9000.00000004.00000001.sdmp, vbc.exe, 00000020.00000003.2659788258.0000000000B29000.00000004.00000001.sdmpString found in binary or memory: ://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.txtfile://192.168.2.1/all/newvms/test.htmlhttps://www.heise.de/javascript:try{external.ExecuteSelectionMenuItem('Stop')}catch(err){UpdateState()}https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/acc
Source: vbc.exe, 0000000F.00000003.1807696908.0000000000C89000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.1821790504.0000000000C89000.00000004.00000040.sdmp, vbc.exe, 0000001A.00000003.2234012869.00000000001F9000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000003.2249932312.0000000000AD9000.00000004.00000001.sdmp, vbc.exe, 00000020.00000003.2659788258.0000000000B29000.00000004.00000001.sdmpString found in binary or memory: ://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.txtfile://192.168.2.1/all/newvms/test.htmlhttps://www.heise.de/javascript:try{external.ExecuteSelectionMenuItem('Stop')}catch(err){UpdateState()}https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/acc
Source: RegAsm.exe, 00000009.00000002.3466317429.0000000004CB0000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000002.1808014905.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000010.00000002.3472718506.00000000028E0000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.1822143967.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000009.00000002.3466317429.0000000004CB0000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000002.1808014905.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000010.00000002.3472718506.00000000028E0000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.1822143967.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000025.00000002.3101409783.00000000021FF000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.txtfile://192.168.2.1/all/newvms/test.htmlhttps://www.heise.de/javascript:try{external.ExecuteSelectionMenuItem('Stop')}catch(err){UpdateState()}https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com
Source: vbc.exe, 00000025.00000002.3101409783.00000000021FF000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.txtfile://192.168.2.1/all/newvms/test.htmlhttps://www.heise.de/javascript:try{external.ExecuteSelectionMenuItem('Stop')}catch(err){UpdateState()}https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com
Source: vbc.exe, 00000024.00000003.3085271933.00000000020EF000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.txtfile://192.168.2.1/all/newvms/test.htmlhttps://www.heise.de/javascript:try{external.ExecuteSelectionMenuItem('Stop')}catch(err){UpdateState()}https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com
Source: vbc.exe, 00000024.00000003.3085271933.00000000020EF000.00000004.00000001.sdmpString found in binary or memory: file://192.168.2.1/all/newvms/test.docfile://192.168.2.1/all/newvms/test.txtfile://192.168.2.1/all/newvms/test.htmlhttps://www.heise.de/javascript:try{external.ExecuteSelectionMenuItem('Stop')}catch(err){UpdateState()}https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile:///C:/jbxinitvm.au3http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com
Source: vbc.exe, 00000012.00000002.1822723091.0000000000C8A000.00000004.00000040.sdmp, vbc.exe, 0000001B.00000002.2251236887.0000000000ADA000.00000004.00000040.sdmpString found in binary or memory: go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000012.00000002.1822723091.0000000000C8A000.00000004.00000040.sdmp, vbc.exe, 0000001B.00000002.2251236887.0000000000ADA000.00000004.00000040.sdmpString found in binary or memory: go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000002.1808752473.0000000000C8A000.00000004.00000040.sdmp, vbc.exe, 0000001A.00000002.2234383133.00000000001FA000.00000004.00000040.sdmp, vbc.exe, 00000020.00000002.2660837393.0000000000B2A000.00000004.00000040.sdmpString found in binary or memory: icrosoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000F.00000002.1808752473.0000000000C8A000.00000004.00000040.sdmp, vbc.exe, 0000001A.00000002.2234383133.00000000001FA000.00000004.00000040.sdmp, vbc.exe, 00000020.00000002.2660837393.0000000000B2A000.00000004.00000040.sdmpString found in binary or memory: icrosoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://tarifrechner.heise.de/widget.php?produkt=dslhttps://tarifrechner.heise.de/widget.phphttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mail.ifffco.me
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 00000010.00000002.3474234859.0000000002D20000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: RegAsm.exe, 00000009.00000002.3464787287.0000000002CB0000.00000004.00000001.sdmp, RegAsm.exe, 00000010.00000002.3474234859.0000000002D20000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: Documents98376532453.exe, 00000000.00000002.1768327277.0000000005500000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.3461796358.0000000000402000.00000040.00000001.sdmp, Documents98376532453.exe, 0000000B.00000002.1816862838.0000000005DF0000.00000004.00000001.sdmp, RegAsm.exe, 00000010.00000002.3470503895.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000009.00000002.3464787287.0000000002CB0000.00000004.00000001.sdmp, RegAsm.exe, 00000010.00000002.3474234859.0000000002D20000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: Documents98376532453.exe, 00000000.00000002.1764863223.00000000028A0000.00000004.00000001.sdmp, Documents98376532453.exe, 0000000B.00000002.1812814769.0000000003370000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000025.00000003.3100121175.00000000001F9000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.co..
Source: vbc.exe, 00000012.00000002.1822595736.00000000007C0000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMh
Source: vbc.exe, 0000000F.00000002.1808548589.00000000007D0000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpbLMEMh(
Source: vbc.exe, 0000000F.00000002.1807954855.0000000000193000.00000004.00000010.sdmp, vbc.exe, 00000012.00000002.1822057396.0000000000193000.00000004.00000010.sdmp, vbc.exe, 0000001A.00000002.2234311602.0000000000193000.00000004.00000010.sdmp, vbc.exe, 0000001B.00000002.2250352633.0000000000193000.00000004.00000010.sdmp, vbc.exe, 00000020.00000002.2660022919.0000000000193000.00000004.00000010.sdmp, vbc.exe, 00000021.00000002.2671627928.0000000000193000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.3085838010.0000000000193000.00000004.00000010.sdmp, vbc.exe, 00000025.00000002.3100490671.0000000000193000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000027.00000002.3309177586.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: RegAsm.exe, 00000009.00000002.3464787287.0000000002CB0000.00000004.00000001.sdmp, RegAsm.exe, 00000010.00000002.3474234859.0000000002D20000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
Source: WindowsUpdateBox.exe, 0000001C.00000003.2496184110.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2493574802.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2495947273.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2501944027.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2502631700.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2499332757.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2494564829.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2498911935.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2501633870.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2495637635.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2499800899.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2494890802.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2496061970.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2493021983.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2495221548.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2494725950.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2495781604.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2493351987.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2496370044.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2495495212.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2503003847.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2504201289.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2502155491.0000017B1B6E1000.00000004.00000001.sdmp, mediasetupuimgr.dll.mui4.28.drString found in binary or memory: https://aka.ms/windowsserverupgrade
Source: WindowsUpdateBox.exe, 0000001C.00000003.2499206243.0000017B1B6E1000.00000004.00000001.sdmp, WindowsUpdateBox.exe, 0000001C.00000003.2493170488.0000017B1B6E1000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/windowsserverupgrade.
Source: WindowsUpdateBox.exe, 0000001C.00000003.2504273002.0000017B1B6E1000.00000004.00000001.sdmp, mediasetupuimgr.dll.mui4.28.drString found in binary or memory: https://aka.ms/windowsserverupgrade9
Source: WindowsUpdateBox.exe, 0000001C.00000003.2495357010.0000017B1B6E1000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/windowsserverupgraded
Source: WindowsUpdateBox.exe, 0000001C.00000003.2499049654.0000017B1B6E1000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/windowsserverupgradeqEr
Source: WindowsUpdateBox.exe, 0000001C.00000003.2502307956.0000017B1B6E1000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/windowsserverupgraderVi
Source: WindowsUpdateBox.exe, 0000001C.00000003.2502471351.0000017B1B6E1000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/windowsserverupgradey
Source: WindowsUpdateBox.exe, 0000001C.00000003.2494159409.0000017B1B6E1000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/windowsserverupgradezSorry
Source: WindowsUpdateBox.exe, 0000001C.00000003.2493961037.0000017B1B6E1000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/windowsserverupgrade~Sorry
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000012.00000003.1821691587.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000002.2251346567.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 00000021.00000003.2671014920.0000000002230000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/33
Source: vbc.exe, 0000000F.00000003.1807696908.0000000000C89000.00000004.00000001.sdmp, vbc.exe, 0000000F.00000003.1805883293.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.1821200862.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.1821790504.0000000000C89000.00000004.00000040.sdmp, vbc.exe, 0000001A.00000003.2234012869.00000000001F9000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.2233408439.00000000021E0000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000003.2247658411.00000000022B0000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000003.2249932312.0000000000AD9000.00000004.00000001.sdmp, vbc.exe, 00000020.00000003.2659116967.0000000000A50000.00000004.00000001.sdmp, vbc.exe, 00000020.00000003.2659788258.0000000000B29000.00000004.00000001.sdmp, vbc.exe, 00000021.00000003.2669236742.0000000002230000.00000004.00000001.sdmp, vbc.exe, 00000024.00000003.3085271933.00000000020EF000.00000004.00000001.sdmp, vbc.exe, 00000025.00000002.3101409783.00000000021FF000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/javascript:try

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000000.00000002.1768327277.0000000005500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1816862838.0000000005DF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1765963041.00000000038E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.1814139537.00000000043B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.3474234859.0000000002D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.3464787287.0000000002CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.3461796358.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000002.3470503895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 368, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Documents98376532453.exe PID: 4480, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Documents98376532453.exe PID: 1956, type: MEMORY
Source: Yara matchFile source: 0.2.Documents98376532453.exe.5500000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Documents98376532453.exe.5df0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Documents98376532453.exe.5df0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Documents98376532453.exe.5500000.4.unpack, type: UNPACKEDPE
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,15_2_0040F078
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Documents98376532453.exe, 00000000.00000002.1764488792.0000000000D10000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000027.00000002.3309177586.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000002.1768327277.0000000005500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000002.1768327277.0000000005500000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000022.00000002.2868586026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000015.00000002.2014971710.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001D.00000002.2441316185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000026.00000002.3295802146.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000010.00000002.3472718506.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000B.00000002.1816862838.0000000005DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000B.00000002.1816862838.0000000005DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000000.00000002.1765963041.00000000038E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000016.00000002.2034928519.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000000B.00000002.1814139537.00000000043B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000023.00000002.2882667238.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000009.00000002.3466317429.0000000004CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000009.00000002.3461796358.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000010.00000002.3470503895.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001E.00000002.2459542764.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 368, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: Documents98376532453.exe PID: 4480, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: Documents98376532453.exe PID: 1956, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.Documents98376532453.exe.5500000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.2.Documents98376532453.exe.5500000.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 29.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 11.2.Documents98376532453.exe.5df0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 11.2.Documents98376532453.exe.5df0000.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 39.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 16.2.RegAsm.exe.28e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.RegAsm.exe.4cb0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 38.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 29.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 34.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 16.2.RegAsm.exe.28e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 11.2.Documents98376532453.exe.5df0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 11.2.Documents98376532453.exe.5df0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 0.2.Documents98376532453.exe.5500000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 39.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.Documents98376532453.exe.5500000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 9.2.RegAsm.exe.4cb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 34.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 38.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
.NET source code contains very large stringsShow sources
Source: Documents98376532453.exe, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csLong String: Length: 65484
Source: Documents98376532453.exe.0.dr, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csLong String: Length: 65484
Source: 0.2.Documents98376532453.exe.580000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csLong String: Length: 65484
Source: 0.0.Documents98376532453.exe.580000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csLong String: Length: 65484
Source: 11.2.Documents98376532453.exe.e70000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csLong String: Length: 65484
Source: 11.0.Documents98376532453.exe.e70000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csLong String: Length: 65484
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Documents98376532453.exe
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_07BB2A96 NtQuerySystemInformation,9_2_07BB2A96
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_07BB2A6B NtQuerySystemInformation,9_2_07BB2A6B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,15_2_0040978A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_07D22BB2 NtQuerySystemInformation,16_2_07D22BB2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_07D22B87 NtQuerySystemInformation,16_2_07D22B87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,18_2_0040978A
Creates driver filesShow sources
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\NXQuery.sys
Creates files inside the system directoryShow sources
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\Windows\Logs\MoSetup\BlueBox.log
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeCode function: 0_2_028159980_2_02815998
Source: C:\Users\user\Desktop\Documents98376532453.exeCode function: 0_2_028159930_2_02815993
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F3247C9_2_00F3247C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBDCB89_2_04EBDCB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBE8BF9_2_04EBE8BF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB188B9_2_04EB188B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBD0609_2_04EBD060
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBE0719_2_04EBE071
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB14429_2_04EB1442
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB18469_2_04EB1846
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBF4599_2_04EBF459
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB08019_2_04EB0801
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBA1F09_2_04EBA1F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB55889_2_04EB5588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB49989_2_04EB4998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB15769_2_04EB1576
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBD9209_2_04EBD920
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBD6809_2_04EBD680
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBE2989_2_04EBE298
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBE6409_2_04EBE640
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB7A189_2_04EB7A18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBD3C89_2_04EBD3C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB8BA09_2_04EB8BA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB13BB9_2_04EB13BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB33989_2_04EB3398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB7F209_2_04EB7F20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1CE59_2_04EB1CE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB60F29_2_04EB60F2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1CF59_2_04EB1CF5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1CC49_2_04EB1CC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1CD59_2_04EB1CD5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBDCA89_2_04EBDCA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1CAC9_2_04EB1CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1CA09_2_04EB1CA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1CBD9_2_04EB1CBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB08B09_2_04EB08B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB38B79_2_04EB38B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB388B9_2_04EB388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB08809_2_04EB0880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1C909_2_04EB1C90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB38689_2_04EB3868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1C7C9_2_04EB1C7C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB84489_2_04EB8448
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB085C9_2_04EB085C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB083C9_2_04EB083C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB08099_2_04EB0809
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3C009_2_04EB3C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB08169_2_04EB0816
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB41CA9_2_04EB41CA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB19C19_2_04EB19C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB45C09_2_04EB45C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB39DA9_2_04EB39DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB41D89_2_04EB41D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB4DD39_2_04EB4DD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB45B29_2_04EB45B2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB4DB09_2_04EB4DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB35809_2_04EB3580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1D619_2_04EB1D61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB19779_2_04EB1977
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB19409_2_04EB1940
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1D449_2_04EB1D44
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1D509_2_04EB1D50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB6D389_2_04EB6D38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1D3C9_2_04EB1D3C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB390D9_2_04EB390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB61009_2_04EB6100
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1D049_2_04EB1D04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBD9109_2_04EBD910
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1D149_2_04EB1D14
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBDEDC9_2_04EBDEDC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB7ED19_2_04EB7ED1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3AB49_2_04EB3AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB369C9_2_04EB369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1A669_2_04EB1A66
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBD6789_2_04EBD678
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB16719_2_04EB1671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB36719_2_04EB3671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3A779_2_04EB3A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB6A2A9_2_04EB6A2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB7A289_2_04EB7A28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3A3A9_2_04EB3A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBE6309_2_04EBE630
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3E009_2_04EB3E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBDE079_2_04EBDE07
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB361B9_2_04EB361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB32189_2_04EB3218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB37FA9_2_04EB37FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3BC99_2_04EB3BC9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBD3B99_2_04EBD3B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB37B89_2_04EB37B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB33889_2_04EB3388
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB1B8F9_2_04EB1B8F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3B859_2_04EB3B85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB8B909_2_04EB8B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3B959_2_04EB3B95
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB57689_2_04EB5768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3B6F9_2_04EB3B6F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3B679_2_04EB3B67
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3B7F9_2_04EB3B7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB37779_2_04EB3777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB37449_2_04EB3744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBF7509_2_04EBF750
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3B579_2_04EB3B57
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB27209_2_04EB2720
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB27309_2_04EB2730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3B0F9_2_04EB3B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB37119_2_04EB3711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0044900F15_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004042EB15_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0041428115_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0041029115_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004063BB15_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0041562415_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0041668D15_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040477F15_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040487C15_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0043589B15_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0043BA9D15_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0043FBD315_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299EED816_2_0299EED8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299861816_2_02998618
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02997A2816_2_02997A28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299CE4816_2_0299CE48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D3A016_2_0299D3A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299CB1016_2_0299CB10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299DB0016_2_0299DB00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D73816_2_0299D738
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299E33F16_2_0299E33F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02997F2016_2_02997F20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02999C8816_2_02999C88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029908B016_2_029908B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299E0C016_2_0299E0C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02993C0016_2_02993C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299499816_2_02994998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02991D8016_2_02991D80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299DD1816_2_0299DD18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D10016_2_0299D100
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299DAF116_2_0299DAF1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299321816_2_02993218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02997A1D16_2_02997A1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299321716_2_02993217
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02993E0016_2_02993E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02996A3816_2_02996A38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02996A3016_2_02996A30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299CE4116_2_0299CE41
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299339816_2_02993398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D39D16_2_0299D39D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299339016_2_02993390
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02993BF816_2_02993BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02997F1D16_2_02997F1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299CB0C16_2_0299CB0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299273016_2_02992730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D72B16_2_0299D72B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299272C16_2_0299272C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299576816_2_02995768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299576116_2_02995761
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299C49616_2_0299C496
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D88716_2_0299D887
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299E0B116_2_0299E0B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029908AC16_2_029908AC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299C4D916_2_0299C4D9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D0F816_2_0299D0F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299499416_2_02994994
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029945B116_2_029945B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02994DB016_2_02994DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02994DAD16_2_02994DAD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029941D816_2_029941D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299F1D016_2_0299F1D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029941D416_2_029941D4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299F1C116_2_0299F1C1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029945C016_2_029945C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02993DF816_2_02993DF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299C51D16_2_0299C51D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299610016_2_02996100
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02996D3816_2_02996D38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299D95C16_2_0299D95C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02991D7D16_2_02991D7D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0044900F18_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004042EB18_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0041428118_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0041029118_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004063BB18_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0041562418_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0041668D18_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040477F18_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040487C18_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0043589B18_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0043BA9D18_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0043FBD318_2_0043FBD3
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044465C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044466E appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042F6EF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 174 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 64 times
PE file contains strange resourcesShow sources
Source: Documents98376532453.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents98376532453.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents98376532453.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Documents98376532453.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functionsShow sources
Source: bw2vid3m.dll.4.drStatic PE information: No import functions for PE file found
Source: setupcore.dll.mui.28.drStatic PE information: No import functions for PE file found
Source: 1r52hgs4.dll.12.drStatic PE information: No import functions for PE file found
Sample file is different than original file name gathered from version infoShow sources
Source: Documents98376532453.exe, 00000000.00000002.1764878112.00000000028AB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs Documents98376532453.exe
Source: Documents98376532453.exe, 00000000.00000000.1744909856.00000000005B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameswriter.exeD vs Documents98376532453.exe
Source: Documents98376532453.exe, 00000000.00000002.1765963041.00000000038E5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename2akDYq1TCFMj57tQ.crypted.exe4 vs Documents98376532453.exe
Source: Documents98376532453.exe, 00000000.00000002.1764969424.00000000028FB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameadderalldll.dll8 vs Documents98376532453.exe
Source: Documents98376532453.exe, 00000000.00000002.1764488792.0000000000D10000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Documents98376532453.exe
Source: Documents98376532453.exe, 00000000.00000002.1767751734.0000000004DA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebw2vid3m.dll4 vs Documents98376532453.exe
Source: Documents98376532453.exe, 0000000B.00000002.1816862838.0000000005DF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs Documents98376532453.exe
Source: Documents98376532453.exe, 0000000B.00000002.1812950627.00000000033CB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameadderalldll.dll8 vs Documents98376532453.exe
Source: Documents98376532453.exe, 0000000B.00000002.1814139537.00000000043B5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename2akDYq1TCFMj57tQ.crypted.exe4 vs Documents98376532453.exe
Source: Documents98376532453.exe, 0000000B.00000000.1790520234.0000000000EA0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameswriter.exeD vs Documents98376532453.exe
Source: Documents98376532453.exe, 0000000B.00000002.1812580959.0000000003170000.00000004.00000001.sdmpBinary or memory string: OriginalFilename1r52hgs4.dll4 vs Documents98376532453.exe
Source: Documents98376532453.exeBinary or memory string: OriginalFilenameswriter.exeD vs Documents98376532453.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
Yara signature matchShow sources
Source: 00000027.00000002.3309177586.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000002.1768327277.0000000005500000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1768327277.0000000005500000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000022.00000002.2868586026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000015.00000002.2014971710.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001D.00000002.2441316185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000026.00000002.3295802146.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000010.00000002.3472718506.00000000028E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000B.00000002.1816862838.0000000005DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.1816862838.0000000005DF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000000.00000002.1765963041.00000000038E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.2034928519.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000000B.00000002.1814139537.00000000043B5000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000023.00000002.2882667238.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000009.00000002.3466317429.0000000004CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000009.00000002.3461796358.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.3470503895.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001E.00000002.2459542764.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: RegAsm.exe PID: 368, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Documents98376532453.exe PID: 4480, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegAsm.exe PID: 4304, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Documents98376532453.exe PID: 1956, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: dropped/EyXKWK.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0.2.Documents98376532453.exe.5500000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Documents98376532453.exe.5500000.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 29.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 11.2.Documents98376532453.exe.5df0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.Documents98376532453.exe.5df0000.4.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 39.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 16.2.RegAsm.exe.28e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.RegAsm.exe.4cb0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 38.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 29.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 34.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 16.2.RegAsm.exe.28e0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 11.2.Documents98376532453.exe.5df0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.Documents98376532453.exe.5df0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0.2.Documents98376532453.exe.5500000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.Documents98376532453.exe.5500000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 9.2.RegAsm.exe.4cb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 34.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 38.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 9.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 9.2.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 16.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 16.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 16.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 16.2.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 16.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 16.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 9.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 9.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 9.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 16.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 16.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 16.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 9.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|banner.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|resource.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\sr-latn-cs|background.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\sr-latn-cs|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a49232fd-5d03-47de-a343-29ce16f6fbd9\devicestage\device\!c|sign.cat
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: @%DiagtrackStorageRoot%\ETLLogsConsumerDroppedProviderCounts_0DecodingDroppedProviderCounts_0DiagTrackETWLoggerDiagtrack-ListenerAutoLogger-Diagtrack-Listener{11D8A17B-F2D8-4733-B41B-6F4959ACD701}%DiagtrackStorageRoot%\ETLLogs\AutoLogger%DiagtrackStorageRoot%\ETLLogs\ShutdownLogger%DiagtrackStorageRoot%\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl%DiagtrackStorageRoot%\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl:$ETLUNIQUECVDATAHybridLatencySwapMillisbase\diagnosis\diagtrack\extension\lib\coreexternal\etwconsumer.cppLoggerFlushTimeUseMsFlushTimerMinBuffersMaxBuffersBufferSizeKbFailed to stop ETW tracing session (before starting a fresh session)Failed to start ETW tracing sessionFailed to open ETW traceFailed to process ETW traceFailed to stop ETW traceFailed to stop AutoLogger ETW tracing session (before starting a fresh session)Failed to start ETW tracing session for Shutdown logger.producerMapFailed to open ETW trace while processing etl file.DisableProviderGroupsFailed to enable ETW pro
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\sr-latn-cs|logo1.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a49232fd-5d03-47de-a343-29ce16f6fbd9\devicestage\device\!c|standardwatermarkoverlay.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}|background.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\!c|resource.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|background.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\!c|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\!c\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\sr-latn-cs|logo1.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\!c|background.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\!c\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\sr-latn-cs|sign.cat
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\!c\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\sr-latn-cs|resource.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|photosmart_all-in-one_printer_scanner_copier.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}|watermark.png
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}|background.png
Source: AppCompatServicing.dll.28.drBinary string: \Device\NXQueryDriver\DosDevices\NXQueryD
Source: AppCompatServicing.dll.28.drBinary string: 10\diagnostics\system\device\!c|cl_localizationdata.psd1
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|superbar.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\!c|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a49232fd-5d03-47de-a343-29ce16f6fbd9\devicestage\device\!c|standardbackground.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\sr-latn-cs|resource.xml
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|superbar.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a49232fd-5d03-47de-a343-29ce16f6fbd9\devicestage\device\!c|microsoftlogo.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|blank.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a49232fd-5d03-47de-a343-29ce16f6fbd9\devicestage\device\!c|resource.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|sign.cat
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|device.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\!c|logo1.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|logo.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\!c|sign.cat
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}|watermark.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a81aff70-37dc-4f47-9369-f88c9a480753\devicestage\device\!c|hp_overlay.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|overlay.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a49232fd-5d03-47de-a343-29ce16f6fbd9\devicestage\device\!c|lifecamstudio.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|background.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|device.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\a49232fd-5d03-47de-a343-29ce16f6fbd9\devicestage\device\!c|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\en-us\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\!c|resource.xml
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\!c|logo1.png
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\!c|sign.cat
Source: AppCompatServicing.dll.28.drBinary string: 10\diagnostics\system\device\!c|diagpackage.dll.mui
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\multiloc\0ecf2029-2c6a-41ae-9e0a-63ffc9ead877\devicestage\device\sr-latn-cs|sign.cat
Source: AppCompatServicing.dll.28.drBinary string: 53\all users\microsoft\windows\devicemetadatacache\dmrccache\!c\d0b60731-694a-408c-af09-7d08cd1445cc\devicestage\device\sr-latn-cs|behavior.xml
Source: AppCompatServicing.dll.28.drBinary string: 54\programdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}|overlay.png
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@51/50@4/1
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,15_2_00417BE9
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_07BB0C02 AdjustTokenPrivileges,9_2_07BB0C02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_07BB0BCB AdjustTokenPrivileges,9_2_07BB0BCB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_07D20BF6 AdjustTokenPrivileges,16_2_07D20BF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_07D20BBF AdjustTokenPrivileges,16_2_07D20BBF
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,15_2_00418073
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,15_2_00413424
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeCode function: 0_2_028115FC FindResourceA,0_2_028115FC
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\Documents98376532453.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeMutant created: \BaseNamedObjects\Global\Microsoft.Windows.Setup
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeMutant created: \BaseNamedObjects\Global\Microsoft.Windows.Setup.Box
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\525e980b-b120-4192-8237-b0cb4ce64149
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeMutant created: \BaseNamedObjects\Global\Microsoft.Windows.Setup.SetupCln
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\$WINDOWS.~BT\Sources\setuphost.exeMutant created: \BaseNamedObjects\Global\WdsSetupLogInit
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_01
Source: C:\$WINDOWS.~BT\Sources\setuphost.exeMutant created: \BaseNamedObjects\Global\Microsoft.Windows.Setup.Cleanup
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeMutant created: \BaseNamedObjects\Global\Microsoft.Windows.Setup.Rollback
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\AppData\Local\Temp\bw2vid3mJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Documents98376532453.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Documents98376532453.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Documents98376532453.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
SQL strings found in memory and binary dataShow sources
Source: vbc.exe, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 0000000F.00000002.1808014905.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.1822143967.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: Documents98376532453.exeVirustotal: Detection: 77%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile read: C:\Users\user\Desktop\Documents98376532453.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Documents98376532453.exe 'C:\Users\user\Desktop\Documents98376532453.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.cmdline'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES64FE.tmp' 'c:\Users\user\AppData\Local\Temp\bw2vid3m\CSCBDDB4D0B2C9F478CA5F53679D7C7FA0.TMP'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknownProcess created: C:\Users\user\Documents98376532453.exe 'C:\Users\user\Documents98376532453.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1r52hgs4.cmdline'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES99BA.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB5F6DF5D8AF145C78E28BC827F2856FA.TMP'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9F19.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAF36.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp90DD.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpA32C.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8734.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9722.tmp'
Source: unknownProcess created: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exe C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.Exe /Package /PreDownload /CancelId C-aeeec880-1bc0-4b21-8d63-5d4da53ad7fb /PauseId P-aeeec880-1bc0-4b21-8d63-5d4da53ad7fb /SuspendId S-aeeec880-1bc0-4b21-8d63-5d4da53ad7fb /CorrelationVector 5FsLsvI1yUiMz8Sg.1.1.1.1.29.32 /FlightData RS:51F6 /ReportId 64ED273F-19A5-4D74-A5EF-480F6094C381.1 /DownloadSizeInMB 11736 /SetupDUPath C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\SetupDUCabs
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7936.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp88B7.tmp'
Source: unknownProcess created: C:\$WINDOWS.~BT\Sources\setuphost.exe 'C:\$WINDOWS.~BT\Sources\SetupHost.Exe' /PreDownload /Package /Quiet /ReportId 64ED273F-19A5-4D74-A5EF-480F6094C381.1 /FlightData 'RS:51F6' '/CancelId' 'C-aeeec880-1bc0-4b21-8d63-5d4da53ad7fb' '/PauseId' 'P-aeeec880-1bc0-4b21-8d63-5d4da53ad7fb' '/CorrelationVector' '5FsLsvI1yUiMz8Sg.1.1.1.1.29.32' '/DownloadSizeInMB' '11736'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp6DB9.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7B75.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp62A9.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp6EFD.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp55D4.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp62C5.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp4B80.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp57E4.tmp'
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.cmdline'Jump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES64FE.tmp' 'c:\Users\user\AppData\Local\Temp\bw2vid3m\CSCBDDB4D0B2C9F478CA5F53679D7C7FA0.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9F19.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp90DD.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8734.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7936.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp6DB9.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp62A9.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp55D4.tmp'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp4B80.tmp'Jump to behavior
Source: C:\Users\user\Documents98376532453.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1r52hgs4.cmdline'Jump to behavior
Source: C:\Users\user\Documents98376532453.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES99BA.tmp' 'c:\Users\user\AppData\Local\Temp\CSCB5F6DF5D8AF145C78E28BC827F2856FA.TMP'Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpAF36.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpA32C.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9722.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp88B7.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7B75.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp6EFD.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp62C5.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp57E4.tmp'
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeProcess created: C:\$WINDOWS.~BT\Sources\setuphost.exe 'C:\$WINDOWS.~BT\Sources\SetupHost.Exe' /PreDownload /Package /Quiet /ReportId 64ED273F-19A5-4D74-A5EF-480F6094C381.1 /FlightData 'RS:51F6' '/CancelId' 'C-aeeec880-1bc0-4b21-8d63-5d4da53ad7fb' '/PauseId' 'P-aeeec880-1bc0-4b21-8d63-5d4da53ad7fb' '/CorrelationVector' '5FsLsvI1yUiMz8Sg.1.1.1.1.29.32' '/DownloadSizeInMB' '11736'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
PE file contains a COM descriptor data directoryShow sources
Source: Documents98376532453.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Documents98376532453.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Documents98376532453.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: diagtrackrunner.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: NXQuery.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: Facilitator.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: c:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.pdb source: Documents98376532453.exe, 00000000.00000002.1767751734.0000000004DA0000.00000004.00000001.sdmp, csc.exe, 00000004.00000003.1755284744.000000000521F000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 0000001A.00000002.2234435462.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001B.00000002.2250547692.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000020.00000002.2660117335.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000021.00000002.2671723449.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.3085976962.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000025.00000002.3100622637.0000000000400000.00000040.00000001.sdmp
Source: Binary string: SetupPlatform.pdb source: WindowsUpdateBox.exe, 0000001C.00000003.2501461157.0000017B1B6F5000.00000004.00000001.sdmp
Source: Binary string: GatherOsState.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: AppraiserRes.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: SetupHost.pdbGCTL source: setuphost.exe, 0000001F.00000000.2504954810.00007FF680603000.00000002.00020000.sdmp
Source: Binary string: SetupPlatform.pdbGCTL source: WindowsUpdateBox.exe, 0000001C.00000003.2501461157.0000017B1B6F5000.00000004.00000001.sdmp
Source: Binary string: AppCompatServicing.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: AppraiserRes.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: Facilitator.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: diagER.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: diagtrack.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000009.00000002.3469443222.0000000007CD0000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.3479024291.0000000007D40000.00000002.00000001.sdmp
Source: Binary string: bluestub.pdbGCTL source: WindowsUpdateBox.exe, 0000001C.00000002.3481965403.00007FF606EF7000.00000002.00020000.sdmp
Source: Binary string: Mitigation.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: GatherOsState.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: Mitigation.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: bluestub.pdb source: WindowsUpdateBox.exe, 0000001C.00000002.3481965403.00007FF606EF7000.00000002.00020000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Temp\1r52hgs4.pdb source: Documents98376532453.exe, 0000000B.00000002.1812580959.0000000003170000.00000004.00000001.sdmp, csc.exe, 0000000C.00000003.1796625137.0000000004C32000.00000004.00000001.sdmp
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that i
Source: Binary string: ReserveManager.pdbGCTL source: WindowsUpdateBox.exe, 0000001C.00000003.2499722288.0000017B1B6F5000.00000004.00000001.sdmp, reservemanager.dll.28.dr
Source: Binary string: WinSetupBoot.pdb source: WindowsUpdateBox.exe, 0000001C.00000003.2504201289.0000017B1B6E1000.00000004.00000001.sdmp
Source: Binary string: YtrYmZwEQl4nwMU5.pdb source: Documents98376532453.exe
Source: Binary string: diagER.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: YtrYmZwEQl4nwMU5.pdb( source: Documents98376532453.exe
Source: Binary string: NXQuery.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: AppCompatServicing.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: diagtrack.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: jc:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.pdb source: csc.exe, 00000004.00000003.1755400513.00000000051A7000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000009.00000002.3468255034.0000000006D30000.00000004.00000001.sdmp, RegAsm.exe, 00000010.00000002.3472718506.00000000028E0000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.2014971710.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000016.00000002.2034928519.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001D.00000002.2441316185.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001E.00000002.2459542764.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000022.00000002.2868586026.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000023.00000002.2882667238.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000026.00000002.3295802146.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000027.00000002.3309177586.0000000000400000.00000040.00000001.sdmp
Source: Binary string: 10\wid\binn\xtp\vc\lib|libcmt.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: ReserveManager.pdb source: WindowsUpdateBox.exe, 0000001C.00000003.2499722288.0000017B1B6F5000.00000004.00000001.sdmp, reservemanager.dll.28.dr
Source: Binary string: du.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: SetupHost.pdb source: setuphost.exe, 0000001F.00000000.2504954810.00007FF680603000.00000002.00020000.sdmp
Source: Binary string: du.pdb source: AppCompatServicing.dll.28.dr
Source: Binary string: diagtrackrunner.pdbGCTL source: AppCompatServicing.dll.28.dr
Source: Binary string: WinSetupBoot.pdbGCTL source: WindowsUpdateBox.exe, 0000001C.00000003.2504201289.0000017B1B6E1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Compiles C# or VB.Net codeShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1r52hgs4.cmdline'
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.cmdline'Jump to behavior
Source: C:\Users\user\Documents98376532453.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1r52hgs4.cmdline'Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004443B0
PE file contains an invalid checksumShow sources
Source: bw2vid3m.dll.4.drStatic PE information: real checksum: 0x0 should be: 0xa937
Source: setupcore.dll.mui.28.drStatic PE information: real checksum: 0xa997 should be:
Source: AppCompatServicing.dll.28.drStatic PE information: real checksum: 0x133b5 should be:
Source: acmigration.dll.28.drStatic PE information: real checksum: 0x5ee6b should be: 0x47b1c0
Source: 1r52hgs4.dll.12.drStatic PE information: real checksum: 0x0 should be: 0x6765
Source: Documents98376532453.exeStatic PE information: real checksum: 0xe12df should be: 0xf4875
Source: Documents98376532453.exe.0.drStatic PE information: real checksum: 0xe12df should be: 0xf4875
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F4D1B8 push eax; iretd 9_2_00F4D1B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F49134 push ecx; retf 9_2_00F49139
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_00F42E11 push ds; retf 9_2_00F433AE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB40D6 push ds; retf 9_2_04EB40D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB4005 push ds; retf 9_2_04EB4007
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB4140 push ds; retf 9_2_04EB4145
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBC15F push edi; ret 9_2_04EBC166
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBCEA0 push ds; ret 9_2_04EBCEA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBCE52 push 00000021h; ret 9_2_04EBCE54
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBBE14 push 8BFFFFFFh; retf 9_2_04EBBE26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EBCFCC push cs; retf 9_2_04EBCFD5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB2FA5 push ss; retf 9_2_04EB2FA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB2F1C push ss; retf 9_2_04EB2F1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 9_2_04EB3F10 push ds; retf 9_2_04EB3F12
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00444975 push ecx; ret 15_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00444B90 push eax; ret 15_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00444B90 push eax; ret 15_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00448E74 push eax; ret 15_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0042CF44 push ebx; retf 0042h15_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02990D70 push ecx; retf 16_2_02990ECA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02991238 push esp; retf 16_2_0299123A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02990FF9 push ebx; retf 16_2_02990FFA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02990FF0 push ebx; retf 16_2_02990FF2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02990F70 push edx; retf 16_2_02990F72
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02990F69 push edx; retf 16_2_02990F6A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_0299B89C push 8BFFFFFFh; retf 16_2_0299B8AE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029958CF pushfd ; retf 16_2_029958D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02999430 push eax; retf 16_2_02999431
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_029911B8 push esp; retf 16_2_029911BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02992D70 push esp; retf 16_2_02992D71
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_02990D68 push ecx; retf 16_2_02990D6A
.NET source code contains many randomly named methodsShow sources
Source: Documents98376532453.exe, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csHigh entropy of concatenated method names: 'kQhefRxBO3', 'nA6eSoaD25', 'aS3eEyZu0e', 'bpLeCCx5XB', 'Etue2ALg6V', 'sWXe7ixH0x', 'Qdce6WKq2l', 'asoeUkSsyx', 'McNe9lsYr4', 'gOLeKjcgya'
Source: Documents98376532453.exe.0.dr, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csHigh entropy of concatenated method names: 'kQhefRxBO3', 'nA6eSoaD25', 'aS3eEyZu0e', 'bpLeCCx5XB', 'Etue2ALg6V', 'sWXe7ixH0x', 'Qdce6WKq2l', 'asoeUkSsyx', 'McNe9lsYr4', 'gOLeKjcgya'
Source: 0.2.Documents98376532453.exe.580000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csHigh entropy of concatenated method names: 'kQhefRxBO3', 'nA6eSoaD25', 'aS3eEyZu0e', 'bpLeCCx5XB', 'Etue2ALg6V', 'sWXe7ixH0x', 'Qdce6WKq2l', 'asoeUkSsyx', 'McNe9lsYr4', 'gOLeKjcgya'
Source: 0.0.Documents98376532453.exe.580000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csHigh entropy of concatenated method names: 'kQhefRxBO3', 'nA6eSoaD25', 'aS3eEyZu0e', 'bpLeCCx5XB', 'Etue2ALg6V', 'sWXe7ixH0x', 'Qdce6WKq2l', 'asoeUkSsyx', 'McNe9lsYr4', 'gOLeKjcgya'
Source: 11.2.Documents98376532453.exe.e70000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csHigh entropy of concatenated method names: 'kQhefRxBO3', 'nA6eSoaD25', 'aS3eEyZu0e', 'bpLeCCx5XB', 'Etue2ALg6V', 'sWXe7ixH0x', 'Qdce6WKq2l', 'asoeUkSsyx', 'McNe9lsYr4', 'gOLeKjcgya'
Source: 11.0.Documents98376532453.exe.e70000.0.unpack, QquJnNww8LkuPrqfa5W/IWqZj3wtEHsJTFVh3iD.csHigh entropy of concatenated method names: 'kQhefRxBO3', 'nA6eSoaD25', 'aS3eEyZu0e', 'bpLeCCx5XB', 'Etue2ALg6V', 'sWXe7ixH0x', 'Qdce6WKq2l', 'asoeUkSsyx', 'McNe9lsYr4', 'gOLeKjcgya'

Persistence and Installation Behavior:

barindex
Drops PE files to the document folder of the userShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\Documents98376532453.exeJump to dropped file
Sample is not signed and drops a device driverShow sources
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\NXQuery.sys
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\DUDownload\Setup\Windows10.0-KB4525043-x64\winsetupboot.sys
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\winsetupboot.sys
Drops PE filesShow sources
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\DUDownload\Setup\Windows10.0-KB4525043-x64\he-il\setupcore.dll.muiJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\mediasetupuimgr.dllJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\pl-pl\mediasetupuimgr.dll.muiJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bw2vid3m\bw2vid3m.dllJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\nb-no\mediasetupuimgr.dll.muiJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\sk-sk\mediasetupuimgr.dll.muiJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\updateagent.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1r52hgs4.dllJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\replacementmanifests\microsoft-windows-mup\mupmigplugin.dllJump to dropped file
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\Documents98376532453.exeJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\ar-sa\mediasetupuimgr.dll.muiJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\AppCompatServicing.dllJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\acmigration.dllJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\zh-cn\mediasetupuimgr.dll.muiJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\ro-ro\mediasetupuimgr.dll.muiJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\reservemanager.dllJump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\5f2e5dbeb88ba33ccbe17fd997c0c82d\WindowsUpdateBox.exeFile created: C:\$WINDOWS.~BT\Sources\setupcore.dllJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\Documents98376532453.exeJump to dropped file
May use bcdedit to modify the Windows boot settingsShow sources
Source: AppCompatServicing.dll.28.drBinary or memory string: statenamestypeidexplicitscopedataitemstatenamesessionuploadAsHexString=wnfBufferType=wnfStateName=wnfTypeId=wnfExplicitScopeString=wnfExplicitScopeType=int8uint8int16uint16int32uint32int64uint64floatdoubleboolguidpointerfiletimesystemtimeyearmonthdowdayhourminutesecondmillisecondhexint32hexint64base\diagnosis\diagtrack\extension\lib\coreexternal\snapalwaysontraceaction.cppSnapAlwaysOnTraceAction: trace.etlbase\diagnosis\diagtrack\extension\lib\coreexternal\snaptraceaction.cppsavedtrace_.etlmergewithalwaysontracesavetolocalstoreSnapTraceAction: traceProfileHash=mergeWithAOT=saveToLocalStore=base\diagnosis\diagtrack\extension\lib\coreexternal\starttraceaction.cppmaxdurationsectracepriorityStartTraceAction: maximumDurationSec=tracePriority=base\diagnosis\diagtrack\extension\lib\coreexternal\stoptraceaction.cpptraceprofilescenarioidStopTraceAction: traceProfileScenarioId=base\diagnosis\diagtrack\extension\lib\coreexternal\toggletraceaction.cppToggleTraceAction: traceProfile=base\diagnosis\diagtrack\extension\lib\c
Source: AppCompatServicing.dll.28.drBinary or memory string: 11\!c|bcdedit.exe.mui
Source: AppCompatServicing.dll.28.drBinary or memory string: 11|bcdedit.exe
Creates install or setup log fileShow sources
Source: C:\$WINDOWS.~BT\Sources\setuphost.exeFile created: C:\$WINDOWS.~BT\Sources\Panther\setuperr.log
Source: C:\$WINDOWS.~BT\Sources\setuphost.exeFile created: C:\$WINDOWS.~BT\Sources\Panther\setupact.log

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\Documents98376532453.exeJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.urlJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EyXKWK.urlJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\Documents98376532453.exeFile opened: C:\Users\user\Documents98376532453.exe:Zone.Identifier read attributes | deleteJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_00443A61
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents98376532453.exeProcess information set: NOOPENFILEERRORBOX