Loading ...

Play interactive tourEdit tour

Analysis Report 02hcrdNuG6.exe

Overview

General Information

Sample Name:02hcrdNuG6.exe
Analysis ID:399834
MD5:4358ed0c3918c0658a1b2bb1bc35462d
SHA1:728017a96e30fe41379ed36a1c9b3129751f3750
SHA256:a81addf8ad395ae36a617da9fb138337c17941475c1e3f3003d2571c8cb3b84e
Infos:

Most interesting Screenshot:

Detection

LimeRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LimeRAT
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w10x64
  • 02hcrdNuG6.exe (PID: 5480 cmdline: 'C:\Users\user\Desktop\02hcrdNuG6.exe' MD5: 4358ED0C3918C0658A1B2BB1BC35462D)
    • schtasks.exe (PID: 6152 cmdline: schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr ''C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe'' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WindowsService.exe (PID: 6236 cmdline: 'C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe' MD5: 4358ED0C3918C0658A1B2BB1BC35462D)
  • WindowsService.exe (PID: 6368 cmdline: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe MD5: 4358ED0C3918C0658A1B2BB1BC35462D)
  • cleanup

Malware Configuration

Threatname: LimeRAT

{"C2 url": "https://pastebin.com/raw/FQ6Mj5L5", "AES Key": "CrackingG0d", "ENDOF": "|'N'|", "Seprator": "|'L'|", "Install File": "WindowsService.exe", "Install Dir": "temp", "Version": "v0.1.9.2"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
02hcrdNuG6.exeJoeSecurity_LimeRATYara detected LimeRATJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeJoeSecurity_LimeRATYara detected LimeRATJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.227121610.0000000000852000.00000002.00020000.sdmpJoeSecurity_LimeRATYara detected LimeRATJoe Security
        00000006.00000000.247272904.0000000000B42000.00000002.00020000.sdmpJoeSecurity_LimeRATYara detected LimeRATJoe Security
          00000005.00000000.245889872.0000000000742000.00000002.00020000.sdmpJoeSecurity_LimeRATYara detected LimeRATJoe Security
            00000000.00000002.246717553.0000000002B3C000.00000004.00000001.sdmpJoeSecurity_LimeRATYara detected LimeRATJoe Security
              00000005.00000002.495518458.0000000000742000.00000002.00020000.sdmpJoeSecurity_LimeRATYara detected LimeRATJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.02hcrdNuG6.exe.850000.0.unpackJoeSecurity_LimeRATYara detected LimeRATJoe Security
                  6.0.WindowsService.exe.b40000.0.unpackJoeSecurity_LimeRATYara detected LimeRATJoe Security
                    0.2.02hcrdNuG6.exe.2b3c494.1.raw.unpackJoeSecurity_LimeRATYara detected LimeRATJoe Security
                      6.2.WindowsService.exe.b40000.0.unpackJoeSecurity_LimeRATYara detected LimeRATJoe Security
                        5.0.WindowsService.exe.740000.0.unpackJoeSecurity_LimeRATYara detected LimeRATJoe Security
                          Click to see the 3 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus / Scanner detection for submitted sampleShow sources
                          Source: 02hcrdNuG6.exeAvira: detected
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeAvira: detection malicious, Label: TR/Spy.Gen8
                          Found malware configurationShow sources
                          Source: 5.0.WindowsService.exe.740000.0.unpackMalware Configuration Extractor: LimeRAT {"C2 url": "https://pastebin.com/raw/FQ6Mj5L5", "AES Key": "CrackingG0d", "ENDOF": "|'N'|", "Seprator": "|'L'|", "Install File": "WindowsService.exe", "Install Dir": "temp", "Version": "v0.1.9.2"}
                          Multi AV Scanner detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeMetadefender: Detection: 48%Perma Link
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeReversingLabs: Detection: 89%
                          Multi AV Scanner detection for submitted fileShow sources
                          Source: 02hcrdNuG6.exeMetadefender: Detection: 48%Perma Link
                          Source: 02hcrdNuG6.exeReversingLabs: Detection: 89%
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeJoe Sandbox ML: detected
                          Machine Learning detection for sampleShow sources
                          Source: 02hcrdNuG6.exeJoe Sandbox ML: detected
                          Source: 02hcrdNuG6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49714 version: TLS 1.0
                          Source: 02hcrdNuG6.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                          Networking:

                          barindex
                          C2 URLs / IPs found in malware configurationShow sources
                          Source: Malware configuration extractorURLs: https://pastebin.com/raw/FQ6Mj5L5
                          Connects to a pastebin service (likely for C&C)Show sources
                          Source: unknownDNS query: name: pastebin.com
                          Source: global trafficTCP traffic: 192.168.2.5:49716 -> 134.255.220.10:555
                          Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                          Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
                          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                          Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49714 version: TLS 1.0
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownTCP traffic detected without corresponding DNS query: 134.255.220.10
                          Source: unknownDNS traffic detected: queries for: pastebin.com
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                          Source: WindowsService.exe, 00000005.00000002.498465437.0000000002A19000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com
                          Source: 02hcrdNuG6.exe, 00000000.00000002.246691900.0000000002B21000.00000004.00000001.sdmp, WindowsService.exe, 00000005.00000002.498378776.00000000029DC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: WindowsService.exe, 00000005.00000002.498378776.00000000029DC000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
                          Source: WindowsService.exe, 00000005.00000002.498744035.0000000002B00000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/FQ6Mj5L5
                          Source: WindowsService.exe, 00000005.00000002.498744035.0000000002B00000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.comD8
                          Source: WindowsService.exe, 00000005.00000002.498586566.0000000002A5A000.00000004.00000001.sdmp, WindowsService.exe, 00000005.00000002.498465437.0000000002A19000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected LimeRATShow sources
                          Source: Yara matchFile source: 02hcrdNuG6.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000000.227121610.0000000000852000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000000.247272904.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.245889872.0000000000742000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.246717553.0000000002B3C000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.495518458.0000000000742000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.261807095.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.246107724.0000000000852000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 02hcrdNuG6.exe PID: 5480, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: WindowsService.exe PID: 6236, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: WindowsService.exe PID: 6368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.850000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.0.WindowsService.exe.b40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.2b3c494.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.WindowsService.exe.b40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.0.WindowsService.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.02hcrdNuG6.exe.850000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.WindowsService.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.2b3c494.1.unpack, type: UNPACKEDPE
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                          Operating System Destruction:

                          barindex
                          Protects its processes via BreakOnTermination flagShow sources
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: 01 00 00 00 Jump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeCode function: 0_2_02A0B0B80_2_02A0B0B8
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeCode function: 0_2_02A0D0680_2_02A0D068
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeCode function: 0_2_02A0A4A00_2_02A0A4A0
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeCode function: 0_2_02A0A7E80_2_02A0A7E8
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeCode function: 5_2_0105B0B85_2_0105B0B8
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeCode function: 5_2_0105A4A05_2_0105A4A0
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeCode function: 5_2_0105A7E85_2_0105A7E8
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeCode function: 6_2_014DD0786_2_014DD078
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeCode function: 6_2_014DB0B86_2_014DB0B8
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeCode function: 6_2_014DA4A06_2_014DA4A0
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeCode function: 6_2_014DA7E86_2_014DA7E8
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe A81ADDF8AD395AE36A617DA9FB138337C17941475C1E3F3003D2571C8CB3B84E
                          Source: 02hcrdNuG6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: 02hcrdNuG6.exe, ??????????/????????.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 02hcrdNuG6.exe, ??????????/????????.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: WindowsService.exe.0.dr, ??????????/????????.csCryptographic APIs: 'TransformFinalBlock'
                          Source: WindowsService.exe.0.dr, ??????????/????????.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 0.0.02hcrdNuG6.exe.850000.0.unpack, ??????????/????????.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.0.02hcrdNuG6.exe.850000.0.unpack, ??????????/????????.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 0.2.02hcrdNuG6.exe.850000.0.unpack, ??????????/????????.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.02hcrdNuG6.exe.850000.0.unpack, ??????????/????????.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 02hcrdNuG6.exe, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: WindowsService.exe.0.dr, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: 0.0.02hcrdNuG6.exe.850000.0.unpack, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: 0.2.02hcrdNuG6.exe.850000.0.unpack, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: 5.0.WindowsService.exe.740000.0.unpack, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: 5.2.WindowsService.exe.740000.0.unpack, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: 6.0.WindowsService.exe.b40000.0.unpack, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: 6.2.WindowsService.exe.b40000.0.unpack, ????????/??????????????.csBase64 encoded string: 'lIV5OVWm5X9grmK3OIzJ8FuDYpl793CoGrCN/6zL647Vo7Ubht0KB0YlAoEguiQR'
                          Source: WindowsService.exe.0.dr, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: WindowsService.exe.0.dr, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 6.2.WindowsService.exe.b40000.0.unpack, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 6.2.WindowsService.exe.b40000.0.unpack, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 5.2.WindowsService.exe.740000.0.unpack, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 5.2.WindowsService.exe.740000.0.unpack, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 6.0.WindowsService.exe.b40000.0.unpack, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 6.0.WindowsService.exe.b40000.0.unpack, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.0.02hcrdNuG6.exe.850000.0.unpack, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 0.0.02hcrdNuG6.exe.850000.0.unpack, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 5.0.WindowsService.exe.740000.0.unpack, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 5.0.WindowsService.exe.740000.0.unpack, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.2.02hcrdNuG6.exe.850000.0.unpack, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 0.2.02hcrdNuG6.exe.850000.0.unpack, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 02hcrdNuG6.exe, ?????????/??????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 02hcrdNuG6.exe, ?????????/??????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@1/2
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\02hcrdNuG6.exe.logJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeMutant created: \Sessions\1\BaseNamedObjects\925304F8E788
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsJump to behavior
                          Source: 02hcrdNuG6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: 02hcrdNuG6.exeMetadefender: Detection: 48%
                          Source: 02hcrdNuG6.exeReversingLabs: Detection: 89%
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeFile read: C:\Users\user\Desktop\02hcrdNuG6.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\02hcrdNuG6.exe 'C:\Users\user\Desktop\02hcrdNuG6.exe'
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr ''C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe''
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe 'C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe'
                          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr ''C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe''Jump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe 'C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe' Jump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                          Source: 02hcrdNuG6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: 02hcrdNuG6.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeCode function: 0_2_02A0C070 push 0000005Eh; ret 0_2_02A0C096
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeFile created: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeJump to dropped file

                          Boot Survival:

                          barindex
                          Yara detected LimeRATShow sources
                          Source: Yara matchFile source: 02hcrdNuG6.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000000.227121610.0000000000852000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000000.247272904.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.245889872.0000000000742000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.246717553.0000000002B3C000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.495518458.0000000000742000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.261807095.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.246107724.0000000000852000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 02hcrdNuG6.exe PID: 5480, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: WindowsService.exe PID: 6236, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: WindowsService.exe PID: 6368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.850000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.0.WindowsService.exe.b40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.2b3c494.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.WindowsService.exe.b40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.0.WindowsService.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.02hcrdNuG6.exe.850000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.WindowsService.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.2b3c494.1.unpack, type: UNPACKEDPE
                          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr ''C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe''

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeFile opened: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion:

                          barindex
                          Yara detected LimeRATShow sources
                          Source: Yara matchFile source: 02hcrdNuG6.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000000.227121610.0000000000852000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000000.247272904.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000000.245889872.0000000000742000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.246717553.0000000002B3C000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.495518458.0000000000742000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000006.00000002.261807095.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.246107724.0000000000852000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 02hcrdNuG6.exe PID: 5480, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: WindowsService.exe PID: 6236, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: WindowsService.exe PID: 6368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.850000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.0.WindowsService.exe.b40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.2b3c494.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 6.2.WindowsService.exe.b40000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.0.WindowsService.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.02hcrdNuG6.exe.850000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.WindowsService.exe.740000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.02hcrdNuG6.exe.2b3c494.1.unpack, type: UNPACKEDPE
                          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                          Source: WindowsService.exe, 02hcrdNuG6.exeBinary or memory string: SBIEDLL.DLL
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWindow / User API: threadDelayed 1636Jump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exe TID: 6060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe TID: 6508Thread sleep time: -81800s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exe TID: 6396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\02hcrdNuG6.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Windows\WindowsService.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: WindowsService.exe, 00000005.00000002.503301465.00000000069FE000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareROCCZ3Y3Win32_VideoController1LZYUHYHVideoController120060621000000.000000-0001822.241display.infMSBDAKLCB9GXNPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsHOP88G9N'
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpBinary or memory string: VMware
                          Source: WindowsService.exe, 00000005.00000002.496372467.0000000000C34000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareROCCZ3Y3Win32_VideoController1LZYUHYHVideoController120060621000000.000000-0001822.241display.infMSBDAKLCB9GXNPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsHOP88G9NG2
                          Source: WindowsService.exe, 00000005.00000002.503222070.0000000006960000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareROCCZ3Y3Win32_VideoController1LZYU
                          Source: 02hcrdNuG6.exeBinary or memory string: vmware
                          Source: WindowsService.exeBinary or memory string: \vboxhook.dll
                          Source: WindowsService.exe, 00000005.00000002.496372467.0000000000C34000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareROCCZ3Y3Win32_VideoController1LZYUHYHVideoController120060621000000.000000-0001822.241display.infMSBDAKLCB9GXNPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsHOP88G9N!4
                          Source: 02hcrdNuG6.exeBinary or memory string: \vboxhook.dllQY21kLmV4ZSAvYyBwaW5nIDAgLW4gMiAmIGRlbCA=
                          Source: WindowsService.exe, 00000005.00000002.496372467.0000000000C34000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareROCCZ3Y3Win32_VideoController1LZYUHYHVideoController120060621000000.000000-0001822.241display.infMSBDAKLCB9GXNPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsHOP88G9N
                          Source: WindowsService.exe, 00000005.00000002.503301465.00000000069FE000.00000004.00000001.sdmpBinary or memory string: (Standard display types)VMwareROCCZ3Y3Win32_VideoC"
                          Source: 02hcrdNuG6.exe, 00000000.00000002.246488614.0000000000EA4000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:I