Play interactive tour

Edit tour

Windows Analysis Report kHCaZ06n23

Overview

General Information

Sample Name:	kHCaZ06n23 (renamed file extension from none to exe)
Analysis ID:	494353
MD5:	2607d8cf98f5e467376e0f8669d70544
SHA1:	8e20937d3b8aafe4f48ac66264e02487e9b86e9f
SHA256:	b943704744a23c06174a36aa0e24ecc7ac67aad9edc9c4bd46dd1f007514796d
Tags:	exeRevengeRAT
Infos:
Most interesting Screenshot:

Detection

RevengeRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected RevengeRAT

Sigma detected: Visual Basic Command Line Compiler Usage

Writes to foreign memory regions

Creates files in the recycle bin to hide itself

.NET source code references suspicious native API functions

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Enables debug privileges

PE file does not import any functions

PE file contains strange resources

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Sigma detected: Conhost Parent Process Executions

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

kHCaZ06n23.exe (PID: 6480 cmdline: 'C:\Users\user\Desktop\kHCaZ06n23.exe' MD5: 2607D8CF98F5E467376E0F8669D70544)

aspnet_compiler.exe (PID: 6504 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

aspnet_compiler.exe (PID: 6564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vbc.exe (PID: 6848 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline' MD5: B3A917344F5610BEEC562556F11300FA)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cvtres.exe (PID: 6916 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)

SecurityHealthService.exe (PID: 6868 cmdline: 'C:\Users\user\AppData\Roaming\SecurityHealthService.exe' MD5: 2607D8CF98F5E467376E0F8669D70544)

aspnet_compiler.exe (PID: 6972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

WerFault.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 188 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: RevengeRAT

{"Key": "Revenge-RAT", "Host": ["127.0.0.1:1488", "zalupa1488.ddns.net:1488"], "ID": "SecondVek", "Mutex": "RV_MUTEX"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
kHCaZ06n23.exe	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.264317494.0000000000402000.00000040.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
0000000A.00000002.294042938.0000000000632000.00000020.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
00000008.00000002.268787538.0000000003707000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1b67b:$x1: Nuclear Explosion.g.resources 0x4009b:$x1: Nuclear Explosion.g.resources 0x18e81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x3d8a1:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x16a5d:$x7: Nuclear Explosion.exe 0x3b47d:$x7: Nuclear Explosion.exe 0x1b91d:$s1: {11111-22222-20001-00001} 0x4033d:$s1: {11111-22222-20001-00001}
00000000.00000000.251968084.0000000000402000.00000020.00020000.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
00000008.00000000.263805408.0000000000402000.00000020.00020000.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
0000000A.00000000.269181851.0000000000632000.00000020.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
0000000A.00000000.269763706.0000000000632000.00000020.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
00000008.00000002.267001553.0000000000402000.00000020.00020000.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
00000001.00000003.259287377.000000000113F000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x19f2b:$x1: Nuclear Explosion.g.resources 0x39f33:$x1: Nuclear Explosion.g.resources 0x17731:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x37739:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1530d:$x7: Nuclear Explosion.exe 0x35315:$x7: Nuclear Explosion.exe 0x1a1cd:$s1: {11111-22222-20001-00001} 0x3a1d5:$s1: {11111-22222-20001-00001}
00000000.00000002.254412755.0000000000402000.00000020.00020000.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a47b:$x1: Nuclear Explosion.g.resources 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1585d:$x7: Nuclear Explosion.exe 0x1a71d:$s1: {11111-22222-20001-00001}
00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000000.00000002.255142100.0000000003667000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1b67b:$x1: Nuclear Explosion.g.resources 0x4009b:$x1: Nuclear Explosion.g.resources 0x18e81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x3d8a1:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x16a5d:$x7: Nuclear Explosion.exe 0x3b47d:$x7: Nuclear Explosion.exe 0x1b91d:$s1: {11111-22222-20001-00001} 0x4033d:$s1: {11111-22222-20001-00001}
Process Memory Space: kHCaZ06n23.exe PID: 6480	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6504	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1821a:$x1: Nuclear Explosion.g.resources 0x15ac3:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x13861:$x7: Nuclear Explosion.exe
Process Memory Space: aspnet_compiler.exe PID: 6504	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: SecurityHealthService.exe PID: 6868	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x144e8:$x1: Nuclear Explosion.g.resources 0x11d7b:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0xfaf8:$x7: Nuclear Explosion.exe
Process Memory Space: SecurityHealthService.exe PID: 6868	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 6972	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x10c4b:$x1: Nuclear Explosion.g.resources 0xe4d1:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0xc200:$x7: Nuclear Explosion.exe
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.kHCaZ06n23.exe.400000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
1.2.aspnet_compiler.exe.400000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
8.2.SecurityHealthService.exe.400000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
0.2.kHCaZ06n23.exe.400000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
0.2.kHCaZ06n23.exe.3667e00.1.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x18c7b:$x1: Nuclear Explosion.g.resources 0x16481:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1405d:$x7: Nuclear Explosion.exe 0x18f1d:$s1: {11111-22222-20001-00001}
10.0.aspnet_compiler.exe.630000.1.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
0.2.kHCaZ06n23.exe.3667e00.1.raw.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x3f29b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x3caa1:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x3a67d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001} 0x3f53d:$s1: {11111-22222-20001-00001}
10.2.aspnet_compiler.exe.630000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
10.0.aspnet_compiler.exe.630000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
8.0.SecurityHealthService.exe.400000.0.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001}
8.2.SecurityHealthService.exe.3707e00.1.raw.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x1a87b:$x1: Nuclear Explosion.g.resources 0x3f29b:$x1: Nuclear Explosion.g.resources 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x3caa1:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x15c5d:$x7: Nuclear Explosion.exe 0x3a67d:$x7: Nuclear Explosion.exe 0x1ab1d:$s1: {11111-22222-20001-00001} 0x3f53d:$s1: {11111-22222-20001-00001}
8.2.SecurityHealthService.exe.3707e00.1.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x18c7b:$x1: Nuclear Explosion.g.resources 0x16481:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x1405d:$x7: Nuclear Explosion.exe 0x18f1d:$s1: {11111-22222-20001-00001}
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Visual Basic Command Line Compiler Usage

Show sources

Source: Process started

Author: Ensar amil, @sblmsrsn, @oscd_initiative: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP', CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP', CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, ParentCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline', ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ParentProcessId: 6848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP', ProcessId: 6916

Sigma detected: Conhost Parent Process Executions

Show sources

Source: Process started

Author: omkar72: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6584, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6304

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp

Malware Configuration Extractor: RevengeRAT {"Key": "Revenge-RAT", "Host": ["127.0.0.1:1488", "zalupa1488.ddns.net:1488"], "ID": "SecondVek", "Mutex": "RV_MUTEX"}

Multi AV Scanner detection for submitted file

Show sources

Source: kHCaZ06n23.exe	Virustotal: Detection: 70%			Perma Link
Source: kHCaZ06n23.exe	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Show sources

Source: kHCaZ06n23.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\$Recycle.Bin.exe	Avira: detection malicious, Label: HEUR/AGEN.1142426

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	ReversingLabs: Detection: 77%
Source: C:\Windows\SecurityHealthService.exe	Virustotal: Detection: 70%	Perma Link
Source: C:\Windows\SecurityHealthService.exe	ReversingLabs: Detection: 77%

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kHCaZ06n23.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: kHCaZ06n23.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Joe Sandbox ML: detected
Source: C:\$Recycle.Bin.exe	Joe Sandbox ML: detected

Source: 0.2.kHCaZ06n23.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.aspnet_compiler.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.2.aspnet_compiler.exe.630000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.SecurityHealthService.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.0.aspnet_compiler.exe.630000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.SecurityHealthService.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.0.aspnet_compiler.exe.630000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: kHCaZ06n23.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\kHCaZ06n23.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: m;C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000002.00000002.258440439.0000000000402000.00000040.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdbJ, source: aspnet_compiler.exe, 00000001.00000002.265032045.000000000115B000.00000004.00000020.sdmp
Source:	Binary string: shell32.pdb source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp

Source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud:

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kHCaZ06n23.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: kHCaZ06n23.exe, type: SAMPLE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.kHCaZ06n23.exe.3667e00.1.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.kHCaZ06n23.exe.3667e00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 10.0.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 8.2.SecurityHealthService.exe.3707e00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 8.2.SecurityHealthService.exe.3707e00.1.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000001.00000002.264317494.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0000000A.00000002.294042938.0000000000632000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000008.00000002.268787538.0000000003707000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000000.00000000.251968084.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000008.00000000.263805408.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0000000A.00000000.269181851.0000000000632000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0000000A.00000000.269763706.0000000000632000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000008.00000002.267001553.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000001.00000003.259287377.000000000113F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000000.00000002.254412755.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000000.00000002.255142100.0000000003667000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: Process Memory Space: aspnet_compiler.exe PID: 6972, type: MEMORYSTR	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPED	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPED	Matched rule: Detects RevengeRAT malware Author: Florian Roth

Source: kHCaZ06n23.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: kHCaZ06n23.exe, type: SAMPLE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 0.2.kHCaZ06n23.exe.3667e00.1.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 0.2.kHCaZ06n23.exe.3667e00.1.raw.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 10.0.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 8.2.SecurityHealthService.exe.3707e00.1.raw.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 8.2.SecurityHealthService.exe.3707e00.1.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000001.00000002.264317494.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 0000000A.00000002.294042938.0000000000632000.00000020.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000008.00000002.268787538.0000000003707000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000000.00000000.251968084.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000008.00000000.263805408.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 0000000A.00000000.269181851.0000000000632000.00000020.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 0000000A.00000000.269763706.0000000000632000.00000020.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000008.00000002.267001553.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000001.00000003.259287377.000000000113F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000000.00000002.254412755.0000000000402000.00000020.00020000.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: 00000000.00000002.255142100.0000000003667000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: Process Memory Space: aspnet_compiler.exe PID: 6972, type: MEMORYSTR	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPED	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPED	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 188

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File created: C:\Windows\SecurityHealthService.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CC96D8	1_2_02CC96D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CCA428	1_2_02CCA428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CCBF60	1_2_02CCBF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CC0BF8	1_2_02CC0BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CCCEC8	1_2_02CCCEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CCBFCB	1_2_02CCBFCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CCBFE6	1_2_02CCBFE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CCBF50	1_2_02CCBF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 1_2_02CC0C08	1_2_02CC0C08

Source: $Recycle.Bin.exe.6.dr

Static PE information: No import functions for PE file found

Source: $Recycle.Bin.exe.6.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: kHCaZ06n23.exe	Virustotal: Detection: 70%
Source: kHCaZ06n23.exe	ReversingLabs: Detection: 77%

Source: C:\Users\user\Desktop\kHCaZ06n23.exe

File read: C:\Users\user\Desktop\kHCaZ06n23.exe

Jump to behavior

Source: kHCaZ06n23.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kHCaZ06n23.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kHCaZ06n23.exe 'C:\Users\user\Desktop\kHCaZ06n23.exe'
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Users\user\AppData\Roaming\SecurityHealthService.exe 'C:\Users\user\AppData\Roaming\SecurityHealthService.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP'
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 188
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Users\user\AppData\Roaming\SecurityHealthService.exe 'C:\Users\user\AppData\Roaming\SecurityHealthService.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Code function: 0_2_008FA7DA AdjustTokenPrivileges,	0_2_008FA7DA
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Code function: 0_2_008FA7A3 AdjustTokenPrivileges,	0_2_008FA7A3
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Code function: 8_2_008FA7DA AdjustTokenPrivileges,	8_2_008FA7DA
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Code function: 8_2_008FA7A3 AdjustTokenPrivileges,	8_2_008FA7A3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File created: C:\Users\user\AppData\Roaming\SecurityHealthService.exe

Jump to behavior

Source: C:\Users\user\Desktop\kHCaZ06n23.exe

File created: C:\Users\user\AppData\Local\Temp\paRClgZbl.txt

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/21@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6304:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\RV_MUTEX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6972
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_01

Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp

Binary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat

Source: kHCaZ06n23.exe, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: kHCaZ06n23.exe, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecurityHealthService.exe.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecurityHealthService.exe.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecurityHealthService.exe0.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecurityHealthService.exe0.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\kHCaZ06n23.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: m;C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000002.00000002.258440439.0000000000402000.00000040.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdbJ, source: aspnet_compiler.exe, 00000001.00000002.265032045.000000000115B000.00000004.00000020.sdmp
Source:	Binary string: shell32.pdb source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: kHCaZ06n23.exe, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: kHCaZ06n23.exe, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: SecurityHealthService.exe.1.dr, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: SecurityHealthService.exe.1.dr, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: SecurityHealthService.exe0.1.dr, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: SecurityHealthService.exe0.1.dr, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, Nuclear_Explosion/Atomic.cs	.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: kHCaZ06n23.exe, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: kHCaZ06n23.exe, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: kHCaZ06n23.exe, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: SecurityHealthService.exe.1.dr, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: SecurityHealthService.exe.1.dr, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: SecurityHealthService.exe.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: SecurityHealthService.exe0.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: SecurityHealthService.exe0.1.dr, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: SecurityHealthService.exe0.1.dr, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	High entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.cs	High entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	High entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Windows\SecurityHealthService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File created: C:\$Recycle.Bin.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File created: C:\Windows\SecurityHealthService.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Creates files in the recycle bin to hide itself

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

File created: C:\$Recycle.Bin

Jump to behavior

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6768	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Dropped PE file which has not been started: C:\$Recycle.Bin.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: aspnet_compiler.exe, 00000001.00000002.265018064.0000000001150000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\kHCaZ06n23.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 428000	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 42A000	Jump to behavior
Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: D7E008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 630000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 632000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 656000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 658000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 65A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 4B9008	Jump to behavior

.NET source code references suspicious native API functions

Show sources

Source: kHCaZ06n23.exe, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: kHCaZ06n23.exe, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: kHCaZ06n23.exe, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: kHCaZ06n23.exe, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: kHCaZ06n23.exe, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: SecurityHealthService.exe.1.dr, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: SecurityHealthService.exe.1.dr, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: SecurityHealthService.exe.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: SecurityHealthService.exe.1.dr, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: SecurityHealthService.exe.1.dr, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: SecurityHealthService.exe0.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: SecurityHealthService.exe0.1.dr, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: SecurityHealthService.exe0.1.dr, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: SecurityHealthService.exe0.1.dr, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: SecurityHealthService.exe0.1.dr, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: 1.2.aspnet_compiler.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 8.0.SecurityHealthService.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: 8.2.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: 10.2.aspnet_compiler.exe.630000.0.unpack, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.cs	Reference to suspicious API methods: ('BxG2x1Ad5Q', 'FindResource@kernel32.dll'), ('eD022nAMNh', 'FindResource@kernel32.dll'), ('abn2OTD4UG', 'FindResource@kernel32.dll'), ('n8C2SuLwpH', 'LoadLibrary@kernel32.dll'), ('IIJ2cr0Lp2', 'LoadLibraryEx@kernel32.dll'), ('rM22HJfd41', 'FindResource@kernel32.dll')
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, Microsoft.API/Win32.cs	Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.cs	Reference to suspicious API methods: ('mskNH3NJWK', 'OpenProcess@kernel32.dll'), ('UPDl58Diio', 'WriteProcessMemory@kernel32.dll'), ('l1FNOjWbOM', 'VirtualProtect@kernel32.dll'), ('D65l3nG3b4', 'LoadLibrary@kernel32'), ('PMYlmvHqMs', 'FindResource@kernel32.dll'), ('s6Il4Ksxnw', 'GetProcAddress@kernel32'), ('HU4ljNnyRT', 'VirtualProtect@kernel32.dll'), ('Wd4lzVrcxi', 'ReadProcessMemory@kernel32.dll')
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, fZKKoHcqswZNNNIBFP/TmPyF3SCXGiCmnobWU.cs	Reference to suspicious API methods: ('DHqpswZNN', 'WriteProcessMemory@kernel32.dll'), ('mRNaVFZM6', 'VirtualAllocEx@kernel32.dll'), ('DbWbUlZKK', 'ReadProcessMemory@kernel32.dll')
Source: 10.0.aspnet_compiler.exe.630000.1.unpack, Nuclear_Explosion/Atomic.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 630000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 630000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\kHCaZ06n23.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process created: C:\Users\user\AppData\Roaming\SecurityHealthService.exe 'C:\Users\user\AppData\Roaming\SecurityHealthService.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior

Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp	Binary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp	Binary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp	Binary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp	Binary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp	Binary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp	Binary or memory string: \|}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kHCaZ06n23.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR

Remote Access Functionality:

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kHCaZ06n23.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Access Token Manipulation1	Masquerading21	OS Credential Dumping	Security Software Discovery111	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing11	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kHCaZ06n23.exe	70%	Virustotal		Browse
kHCaZ06n23.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.RevengrRat
kHCaZ06n23.exe	100%	Avira	TR/Dropper.Gen
kHCaZ06n23.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	100%	Avira	TR/Dropper.Gen
C:\$Recycle.Bin.exe	100%	Avira	HEUR/AGEN.1142426
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	100%	Joe Sandbox ML
C:\$Recycle.Bin.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	70%	Virustotal		Browse
C:\Users\user\AppData\Roaming\SecurityHealthService.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.RevengrRat
C:\Windows\SecurityHealthService.exe	70%	Virustotal		Browse
C:\Windows\SecurityHealthService.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.RevengrRat

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.kHCaZ06n23.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.2.aspnet_compiler.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.2.aspnet_compiler.exe.630000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.0.kHCaZ06n23.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.0.SecurityHealthService.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.0.aspnet_compiler.exe.630000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.2.SecurityHealthService.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
10.0.aspnet_compiler.exe.630000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	494353
Start date:	30.09.2021
Start time:	15:42:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kHCaZ06n23 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/21@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.2% (good quality ratio 4.3%) Quality average: 55.2% Quality standard deviation: 36.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 102 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.54.203, 20.42.65.92, 20.49.157.6, 23.0.174.200, 23.0.174.185, 20.54.110.249, 40.112.88.60, 23.10.249.43, 23.10.249.26, 20.82.210.154 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:43:31	API Interceptor	1x Sleep call for process: kHCaZ06n23.exe modified
15:43:32	API Interceptor	3x Sleep call for process: aspnet_compiler.exe modified
15:43:36	API Interceptor	1x Sleep call for process: SecurityHealthService.exe modified
15:43:49	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\$Recycle.Bin.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	8704
Entropy (8bit):	4.639105052042169
Encrypted:	false
SSDEEP:	192:szq7rcDOpiuVBnlYJLLLTTeJWPNRCzt16+gQ+Mna:szqrGu0PLTWiwx1
MD5:	B4B7CAA9EE9055185B290EA904ACBD0B
SHA1:	43315C26C9E7FCC872A5CE15E742AFADCBDE69D8
SHA-256:	311C4C405A791ED366E82A8A6005F2F8152ADDF6D863B271795557DEF2BD653C
SHA-512:	FA370E22016FB59D052BB9A9012FDEBBE2DF5CD2FA1DAA963A8BA9D949943AF7647ABD944FD32B398A65BDA40C6F2020FDFB6FEC8957584565E2F48F213D14D4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=Va.............................0... ...@....@.. ....................................@.................................x0..S....@..8....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`....... ..............@..B..................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..G.......(....r...p(....(....&..( ...(!.....(....rG..p(....(....&..( ...(!.....*.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_compiler._1ff02446db6cbd316aaf8b3016eb2acf76e0f0af_ceb0609f_1b51df41\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	7728
Entropy (8bit):	3.7626691392011082
Encrypted:	false
SSDEEP:	96:1OF1cztLOmFcqioI7JfjpXIQcQvc6QcEDMcw3DSIh+HbHgA9ZAXGng5FMTPSkvP+:IPcztLOmkHBUZMXgjc/u7siS274ItZA
MD5:	832E6D12B81A354B96A086B13034E8DD
SHA1:	A253D2A5998558F6527146D757C2B9A00F96F44C
SHA-256:	039A9E44F625B33A3D6D55B2D0C10236BEE276D2C9E2C465166CA60150125E8C
SHA-512:	1C64D75C8E7A0EFCA015EF5B805B7A79C3F5B14E83976329B070476244C421B665E7842B66B72B745EB2AF8A630FDFB8D90E7A1843F9F653B873C52081D8F39A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.5.1.5.4.2.1.3.9.2.2.7.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.7.5.1.5.4.2.6.5.4.8.4.8.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.0.1.e.2.f.d.-.d.9.a.b.-.4.f.2.1.-.9.c.1.a.-.2.8.c.1.8.f.7.f.0.4.1.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.6.7.8.8.0.f.-.b.1.7.a.-.4.2.a.f.-.9.a.5.6.-.d.e.e.7.c.a.8.0.6.a.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.c.o.m.p.i.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.c.o.m.p.i.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.c.-.0.0.0.1.-.0.0.1.7.-.7.a.e.0.-.5.9.9.b.4.c.b.6.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.1.6.4.c.5.d.c.9.5.e.b.c.c.9.e.c.b.3.0.5.e.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC08E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Sep 30 22:43:41 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	31864
Entropy (8bit):	1.7397897910211273
Encrypted:	false
SSDEEP:	96:5dll8D/oUyZ6UcpM2tt3bzLuvdqTxwRR/Bpv3n8miP+phWAWInWItgIDAX20p:rcN3zuvPBV8mGWWaAX20p
MD5:	32D687B7FE7C5211EE7406A63C2B383C
SHA1:	38C157DA44DDA947C648BAF6C0FB63725BCF85BC
SHA-256:	54FBA8D54E28BDFF67D337A964A69687527D5E18BDDB2833FF55074E32EA00EF
SHA-512:	24EB95D1FC017B054E963D372758B19836E223D4F1C1FDB0A1544215A344583E68AABE1BDB85B50D4D99A35704CDB28A82EAADE16A5314710F56AC1C52081352
Malicious:	false
Preview:	MDMP....... ........=Va...................U...........B......@.......GenuineIntelW...........T.......<....=Va.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC283.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	6330
Entropy (8bit):	3.726618137715057
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiiu6/qjYsSNCprRi89b4vsfnom:RrlsNiL6/qjYsS6b4Uft
MD5:	704EBC3C1858A60B878C6E4DEDE816BA
SHA1:	45D2891440E9B4640A0F79ECE3DC7605820EA9E6
SHA-256:	AA6F8B9E3F492CC2824BB6500C7986E0AF0A5028B5A7BE3855F92DEC3404A9E8
SHA-512:	289CBA6894A3FDF03A19F34A817641551C82BDB2114F5120D86A567AE5BBDEBD41D9967D65990E94441A1E81B8289A64BEC5F32520DC6B8D3C89A52E5A4D3718
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4B6.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4708
Entropy (8bit):	4.496308828890443
Encrypted:	false
SSDEEP:	48:cvIwSD8zsrJgtWI9LrWSC8BR8fm8M4JVrSkZFO+q8b1CU6XnOZCRKUd:uITfF8aSNsJVrqgd6XnOSKUd
MD5:	F90F36920BC15D85828D5B3957FD1F27
SHA1:	5CA50F97B6BAA837F6D358624B99B57DF4824312
SHA-256:	EDF02532357BA96AE90C56765D42199E28DEB0E5E2406D5C0060742B1705C836
SHA-512:	794FB385621E0C67CAB050BD098C03C5A18808D7ED19E8ECF5F8CAA9FD5224C749B4C4ACF61A57038776BF9675A561FBDA79B8ED6BD25C8D3488E5899FE3BD3A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1189914" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Windows\gtnxDpnFwU.ico Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.120954828276924
Encrypted:	false
SSDEEP:	24:RKr1APoyOJGCs8zsJsWmg9a9V9M5PUUUUUU/:Yr1APoTJGCs8zsJ1mg9a9V983
MD5:	42D552558E7E6F7440B2B63A6CDE217F
SHA1:	9C8FA01060F667CF3B0CAAD33E91FA59E643CF76
SHA-256:	11B5A0730666935C78D22B379F83EA5FC30D1AFDEA09A796B4F18B38A1E1EF69
SHA-512:	E6A6DC1239B9668E7FFC883B3CF46AFF8C9F86EF11AE975F6FB65531D8B9313ACD7608272042E322FAD415A45C0CF767252D2C620AD066E6809656AF0F09441B
Malicious:	false
Preview:	............ .h.......(....... ..... .....@...........................H...H...H...G...G...G...F...F...F...F...E...F...E...............I.......................................F.......F...............I.......................................F.......F...............I.......................................F.......F...............I.......................................F.......F...............J.......................................G.......G...............J.......................................X...O...G..............J...........................................G...G...............K...........................................G...................K...........................................H...................K...........................................H...................L...........................................H...................L...........................................I...................L...........................................I...................L.................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	311
Entropy (8bit):	5.323131242172993
Encrypted:	false
SSDEEP:	6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhpDLI4M9tDLI4MWuPk21v
MD5:	8722E88F9E6ACB8D431A70E7039AEB75
SHA1:	28046D604A6500451BE3F539BAA6BA4BB68A70D0
SHA-256:	3C0F25EBE9FE43091DE5A65EE92748F2B531F29DD2743B0D4E01DCCFADC95B5E
SHA-512:	937092F2EDCABD47CD1896C5CFBAB8E7E443D1039650B3462DF0E301F6C53562A4B91FBF59A04957839DE5C121D061C08C6BD274E02DF2C8CC477F601C442C3B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\RESD3BA.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	data
Category:	modified
Size (bytes):	6228
Entropy (8bit):	3.036674968965575
Encrypted:	false
SSDEEP:	96:oKJKiT+zdr1APoTxs+sJQ+Mn4zNtduC83:tCzt16+gQ+MnaQ
MD5:	B14C4D0777C57F4E9B2D54E2021FF3F7
SHA1:	8CB169A471B11CF533A4B1341093F71283F41D95
SHA-256:	DE521B360B3FA6392477DA54F772ADBC4E41E3A583EFC277CCE187445DCD78A8
SHA-512:	8884DD38D205728E36316B08DDF8E9284693A06DA8C30684107F45883CE62F26626C6436E4426772297C2E06DACF18A8F72C767A7271D87CF0AA6CF233B432F5
Malicious:	false
Preview:	........M....C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP..................Ka.}.LV..d#..t...........7.......C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp.-.<...................'...Microsoft (R) CVTRES.`.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.0.vb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.281061091084436
Encrypted:	false
SSDEEP:	6:iMwSu9inCuWJHM3RLktOPft1KIE+asDMSouyeCs+TnXTFvrROC2yeCzknKWFzROX:55u9eCuWNkWXqDMbHeCssn5TRO0eCAne
MD5:	E943C5FADE0193B27DB5CDB8B3A9D913
SHA1:	78B8094858E05A71F80C5D87B7E6941E137AB621
SHA-256:	CFD4868F7BFA3FF0ED30A05CB51735128A5E27EC6F9FEECFDDC858ED5EC70A3A
SHA-512:	6DCF3DDE5D4253C055A30C827694C951975F57E1F3BE152FAF5DDD33CE3100D91B620DA935F4859EF4B9EDBDB97235B164CB07646AC0B7C6AE834D6DD78696E9
Malicious:	false
Preview:	.Imports Microsoft.VisualBasic, System.Reflection, System.Diagnostics.Process, System.Windows.Forms.Application..<Assembly: AssemblyCompany("ZRvZwfRtNH")>..Module ZuiGGjj..Sub Main()..Try : Start(StartupPath & "\Windows\SecurityHealthService.exe") : Catch : End Try..Try : Start(StartupPath & "\Windows\$Recycle.Bin") : Catch : End Try..End Sub..End Module

C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	UTF-8 Unicode (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.1503040777922005
Encrypted:	false
SSDEEP:	6:pAu+H2uM3RLRwMknKQVxKaG4rNqwcNwi23f7phH:p37ukspnzrGATZjpR
MD5:	525B7BE3E43E193E0478240ECD10F13B
SHA1:	A6EA8EC81035B837C75EC01D9A907FD439C8E4CD
SHA-256:	19B18994E044A03379E64967CDFDA635D72EE54232E1A54D23A9A379DCD2B156
SHA-512:	EEB9A2C0D7D80240D85A6557ABD233655570E3D22EC10C0A4D0239D3D21B039FAE82F6ACB04D6E0B19677BED4B12EB9CBD263176A78157C3D1552ABF45818782
Malicious:	true
Preview:	./t:library /utf8output /R:"System.Windows.Forms.Dll" /out:"C:\$Recycle.Bin" /debug- /target:winexe /win32icon:C:\ProgramData\Windows\gtnxDpnFwU.ico "C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.0.vb"

C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with very long lines, with CRLF, LF line terminators
Category:	modified
Size (bytes):	445
Entropy (8bit):	4.860192640511881
Encrypted:	false
SSDEEP:	12:zKIZoD6BFNv2BZvK2wo8dRRarZucW8W3ZDPON:zKIZoD6D12BVKVrdrAMDNJTe
MD5:	2FC4EF23E283A481436A133D08C779F7
SHA1:	2940E46218B588ACB509E05423113958379445A7
SHA-256:	AEF17387669CF30FAFA53E1B7C1A8DB8BE2FF5A71B7EA8C6A62A6C580A24BEE8
SHA-512:	F3F2C1FB22212DDA471045D19F98AC93E2BEBEB2D77DBCCBE9A66C9C31A0B1F4BE192AF9ED1B51995682E050991083CBADE61DAD5D6DE426520D4B4267380E31
Malicious:	false
Preview:	Microsoft (R) Visual Basic Compiler version 14.7.3056.for Visual Basic 2012..Copyright (c) Microsoft Corporation. All rights reserved...This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to Visual Basic 2012, which is no longer the latest version. For compilers that support newer versions of the Visual Basic programming language, see http://go.microsoft.com/fwlink/?LinkID=533241....

C:\Users\user\AppData\Local\Temp\paRClgZbl.txt Download File
Process:	C:\Users\user\AppData\Roaming\SecurityHealthService.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.588233670962456
Encrypted:	false
SSDEEP:	3:oN0nacwREaKC5GQTT2AXTFA:oNcNwiaZ5zTnXTFA
MD5:	511F015742303AA82523E9587911E8BF
SHA1:	BFB0322A92ADB0820F467727455EDE57A24B3B62
SHA-256:	538CAE6E18F4D408D192800DD84A1597D100B872EF4B932E4D3F93819C12806F
SHA-512:	410BC1B55DE281EB38EE2A225D91E45FAC5D4F6564F5913664CFBC991D8DEA30F870019ECCB191EBA6BD31A1E238592451A9B5D3E77B59AA30952EB5503655A2
Malicious:	false
Preview:	C:\Users\user\AppData\Roaming\SecurityHealthService.exe

C:\Users\user\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	2460
Entropy (8bit):	4.8445072542918455
Encrypted:	false
SSDEEP:	48:yg96ul0T+zsqyr1APoTJGCs8zsJ1mg9a9V98tVSfbNtme:BiT+zEr1APoTxs+sJQ+MnbzNt3
MD5:	4B61CA7DA54C560A86642385B574E7A0
SHA1:	09903721318950D78D3805736B136A413F8BC231
SHA-256:	E4A8E02FF438974074EE9847F762D017D1613AE8C3D42FCC92990B1C290629CD
SHA-512:	E84E8B2F7189EF867048EB631067FBAF1B09507AF352B51B6F842E2FF264846E593464ADA7C2F0F8D3A61F945BEE739F88A4C47C3E928A2B69C367488D6AD34C
Malicious:	false
Preview:	.... ...............................<...............0.............4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...8.....C.o.m.p.a.n.y.N.a.m.e.....Z.R.v.Z.w.f.R.t.N.H.....,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...D.....I.n.t.e.r.n.a.l.N.a.m.e...$.R.e.c.y.c.l.e...B.i.n...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...L.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...$.R.e.c.y.c.l.e...B.i.n...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...h... ...........................(....... ..... .....@...........................H...H...H...G...G...G...F...F...F...F...E...F...E...............I.......................................F.......F...............I.......................................F.......F...............I...

C:\Users\user\AppData\Local\Temp\vbcB418578C6904C8CA11CE1637C7D4B29.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	722
Entropy (8bit):	3.702438690776191
Encrypted:	false
SSDEEP:	12:nficlYP8070ZMlWlYEUsIxNzxBuZZ7AfMuEW+lj4V6AfMuEW+splkzkEV1:nZY8RZkWhMzxBUmfMdW+ylfMdW+I+H1
MD5:	8E294D0A9327E1EBC9F40B1A308F6F7A
SHA1:	0B0260857BDD568C6C0964AD77C74C59876D2EEA
SHA-256:	BBF88EE91824B27A362FC9FBC0EBF32BCBC6B476F0AF30DD54D2D2BEA6576DC8
SHA-512:	DCD4C057275B05168D5D3B62E9E2A695546ED35135412B805F448FB7B1B831AE96BFF8F76DFFBEF3D026127694B8AC7CE55C1AC5853B8AF62E39716A3A0748BA
Malicious:	false
Preview:	....G. .L...I.m.p.o.r.t.s. .M.i.c.r.o.s.o.f.t...V.i.s.u.a.l.B.a.s.i.c.,. .S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n.,. .S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...P.r.o.c.e.s.s.,. .S.y.s.t.e.m...W.i.n.d.o.w.s...F.o.r.m.s...A.p.p.l.i.c.a.t.i.o.n.....<.A.s.s.e.m.b.l.y.:. .A.s.s.e.m.b.l.y.C.o.m.p.a.n.y.(.".Z.R.v.Z.w.f.R.t.N.H.".).>.....M.o.d.u.l.e. .Z.u.i.G.G.j.j.....S.u.b. .M.a.i.n.(.).....T.r.y. .:. .S.t.a.r.t.(.S.t.a.r.t.u.p.P.a.t.h. .&. .".\.W.i.n.d.o.w.s.\.S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.e.r.v.i.c.e...e.x.e.".). .:. .C.a.t.c.h. .:. .E.n.d. .T.r.y.....T.r.y. .:. .S.t.a.r.t.(.S.t.a.r.t.u.p.P.a.t.h. .&. .".\.W.i.n.d.o.w.s.\.$.R.e.c.y.c.l.e...B.i.n.".). .:. .C.a.t.c.h. .:. .E.n.d. .T.r.y.....E.n.d. .S.u.b.....E.n.d. .M.o.d.u.l.e.

C:\Users\user\AppData\Roaming\SecurityHealthService.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	151040
Entropy (8bit):	6.326254665126361
Encrypted:	false
SSDEEP:	3072:qBoE3iDntU9c8gVMpRQ1n6oAj6HnfuO3QwQUce+:qbSDnttMp66bk9Bce+
MD5:	2607D8CF98F5E467376E0F8669D70544
SHA1:	8E20937D3B8AAFE4F48AC66264E02487E9B86E9F
SHA-256:	B943704744A23C06174A36AA0E24ECC7AC67AAD9EDC9C4BD46DD1F007514796D
SHA-512:	E3ECE99F7B4FD77E51884E85F90DA17C69ADAD2C515EC833DC075CE8098672D88FEBF491CD5DAD0BD139EA16174B9E6FBA2DEBF2CACE43293D7DACD74E17C6E8
Malicious:	true
Yara Hits:	Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 70%, Browse Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................:..........nY... ...`....@.. ...................................................................... Y..K.................................................................................... ............... ..H............text...t9... ...:.................. ..`.sdata..@....`.......>..............@....rsrc................@..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecurityHealthService.exe:Zone.Identifier Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\SecurityHealthService.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	151040
Entropy (8bit):	6.326254665126361
Encrypted:	false
SSDEEP:	3072:qBoE3iDntU9c8gVMpRQ1n6oAj6HnfuO3QwQUce+:qbSDnttMp66bk9Bce+
MD5:	2607D8CF98F5E467376E0F8669D70544
SHA1:	8E20937D3B8AAFE4F48AC66264E02487E9B86E9F
SHA-256:	B943704744A23C06174A36AA0E24ECC7AC67AAD9EDC9C4BD46DD1F007514796D
SHA-512:	E3ECE99F7B4FD77E51884E85F90DA17C69ADAD2C515EC833DC075CE8098672D88FEBF491CD5DAD0BD139EA16174B9E6FBA2DEBF2CACE43293D7DACD74E17C6E8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 70%, Browse Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................:..........nY... ...`....@.. ...................................................................... Y..K.................................................................................... ............... ..H............text...t9... ...:.................. ..`.sdata..@....`.......>..............@....rsrc................@..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SecurityHealthService.exe:Zone.Identifier Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221
Entropy (8bit):	4.832091525010539
Encrypted:	false
SSDEEP:	6:zx3Me21f1LRJIQtUbw/VgRZBXVN+1GFJqozrCib:zKpj1JIdwqBFN+1Q3b
MD5:	57D5333A79B0C23C3389A5E316FAD23D
SHA1:	8D1047C6BF4929C993C504E2EF64D689C8F6BFC7
SHA-256:	83324659D6790503513C9B336FE9C6E368B4A8E88F11543D328ED871B86D5AD7
SHA-512:	FA15BD8DAABE061EC4629985E2500DA293817E32168EF91AB1F31CD2A322EC937236D86A58633862A7B40E7F15740C8A1F0E82EBB533334760E07CD84B6FF46A
Malicious:	false
Preview:	Microsoft (R) ASP.NET Compilation Tool version 4.7.3056.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.326254665126361
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	kHCaZ06n23.exe
File size:	151040
MD5:	2607d8cf98f5e467376e0f8669d70544
SHA1:	8e20937d3b8aafe4f48ac66264e02487e9b86e9f
SHA256:	b943704744a23c06174a36aa0e24ecc7ac67aad9edc9c4bd46dd1f007514796d
SHA512:	e3ece99f7b4fd77e51884e85f90da17c69adad2c515ec833dc075ce8098672d88febf491cd5dad0bd139ea16174b9e6fba2debf2cace43293d7dacd74e17c6e8
SSDEEP:	3072:qBoE3iDntU9c8gVMpRQ1n6oAj6HnfuO3QwQUce+:qbSDnttMp66bk9Bce+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................:..........nY... ...`....@.. .....................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x42596e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60E1DA89 [Sun Jul 4 15:58:01 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25920	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0xb88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x23974	0x23a00	False	0.533682839912	data	6.35719295808	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0x26000	0x140	0x200	False	0.453125	MMDF mailbox	3.58625526854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x28000	0xb88	0xc00	False	0.342447916667	data	5.08994775661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x28058	0xb2d	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2021 15:43:37.224139929 CEST	51837	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:43:37.262563944 CEST	53	51837	8.8.8.8	192.168.2.7
Sep 30, 2021 15:43:49.005600929 CEST	55411	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:43:49.018893003 CEST	53	55411	8.8.8.8	192.168.2.7
Sep 30, 2021 15:43:55.123141050 CEST	63668	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:43:55.157825947 CEST	53	63668	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:14.587692976 CEST	54640	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:14.630486965 CEST	53	54640	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:20.141971111 CEST	58739	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:20.208022118 CEST	53	58739	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:20.848447084 CEST	60338	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:20.938364983 CEST	53	60338	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:21.119062901 CEST	58717	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:21.132118940 CEST	53	58717	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:21.419150114 CEST	59762	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:21.499522924 CEST	53	59762	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:21.841253042 CEST	54329	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:21.854757071 CEST	53	54329	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:22.254353046 CEST	58052	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:22.269016027 CEST	53	58052	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:23.078038931 CEST	54008	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:23.131709099 CEST	53	54008	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:24.025186062 CEST	59451	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:24.039520979 CEST	53	59451	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:25.735168934 CEST	52914	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:25.748483896 CEST	53	52914	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:26.449147940 CEST	64569	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:26.464435101 CEST	53	64569	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:26.879174948 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:26.896085978 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 30, 2021 15:44:33.417635918 CEST	50781	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:44:33.476615906 CEST	53	50781	8.8.8.8	192.168.2.7
Sep 30, 2021 15:45:04.218398094 CEST	54230	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:45:04.250592947 CEST	53	54230	8.8.8.8	192.168.2.7
Sep 30, 2021 15:45:05.934092045 CEST	54911	53	192.168.2.7	8.8.8.8
Sep 30, 2021 15:45:05.961301088 CEST	53	54911	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: kHCaZ06n23.exe PID: 6480 Parent PID: 4084

General

Start time:	15:43:30
Start date:	30/09/2021
Path:	C:\Users\user\Desktop\kHCaZ06n23.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kHCaZ06n23.exe'
Imagebase:	0x400000
File size:	151040 bytes
MD5 hash:	2607D8CF98F5E467376E0F8669D70544
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000000.00000000.251968084.0000000000402000.00000020.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp, Author: Joe Security Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000000.00000002.254412755.0000000000402000.00000020.00020000.sdmp, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000000.00000002.255142100.0000000003667000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: aspnet_compiler.exe PID: 6504 Parent PID: 6480

General

Start time:	15:43:31
Start date:	30/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0xaa0000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000001.00000002.264317494.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000001.00000003.259287377.000000000113F000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: aspnet_compiler.exe PID: 6564 Parent PID: 6504

General

Start time:	15:43:32
Start date:	30/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x4a0000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6584 Parent PID: 6564

General

Start time:	15:43:32
Start date:	30/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 6848 Parent PID: 6504

General

Start time:	15:43:35
Start date:	30/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline'
Imagebase:	0x2e0000
File size:	2688096 bytes
MD5 hash:	B3A917344F5610BEEC562556F11300FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6856 Parent PID: 6848

General

Start time:	15:43:35
Start date:	30/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SecurityHealthService.exe PID: 6868 Parent PID: 6504

General

Start time:	15:43:35
Start date:	30/09/2021
Path:	C:\Users\user\AppData\Roaming\SecurityHealthService.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\SecurityHealthService.exe'
Imagebase:	0x400000
File size:	151040 bytes
MD5 hash:	2607D8CF98F5E467376E0F8669D70544
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp, Author: Joe Security Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000008.00000002.268787538.0000000003707000.00000004.00000001.sdmp, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000008.00000000.263805408.0000000000402000.00000020.00020000.sdmp, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000008.00000002.267001553.0000000000402000.00000020.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp, Author: Joe Security Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 70%, Virustotal, Browse Detection: 78%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cvtres.exe PID: 6916 Parent PID: 6848

General

Start time:	15:43:36
Start date:	30/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP'
Imagebase:	0x1230000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: aspnet_compiler.exe PID: 6972 Parent PID: 6868

General

Start time:	15:43:37
Start date:	30/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x260000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 0000000A.00000002.294042938.0000000000632000.00000020.00000001.sdmp, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 0000000A.00000000.269181851.0000000000632000.00000020.00000001.sdmp, Author: Florian Roth Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 0000000A.00000000.269763706.0000000000632000.00000020.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: WerFault.exe PID: 7052 Parent PID: 6972

General

Start time:	15:43:39
Start date:	30/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 188
Imagebase:	0xca0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6304 Parent PID: 6584

General

Start time:	15:44:50
Start date:	30/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: kHCaZ06n23.exe PID: 6480 Parent PID: 4084 kHCaZ06n23.exeCOMMON

Executed Functions

Function 008FA7A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 008FA823

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 71f259ca6509480523cd83e73b02d6a0603709179b7253895946f22139ba20d8
Instruction ID: 5a9faae308ae65b46297ea882c6e15069703e874bd5b7ac875d99971c2cedf5e
Opcode Fuzzy Hash: 71f259ca6509480523cd83e73b02d6a0603709179b7253895946f22139ba20d8
Instruction Fuzzy Hash: DD21D3755093849FEB128F25DC40B52BFB4EF16320F0884EAE985CF163D2759808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA7DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 008FA823

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: cbf90d968a1b4913370c723305ab2f7c05951fa0b7c3d0e1f6203d0d33472599
Instruction ID: d5558f22c9c84cf1e8fb1f909f64fe660389a75a40b251b3ace2bea7d78f488b
Opcode Fuzzy Hash: cbf90d968a1b4913370c723305ab2f7c05951fa0b7c3d0e1f6203d0d33472599
Instruction Fuzzy Hash: 80118C715002049FDB248F65E884B66FBA4EF04320F08C4AADE4ACB651D271E808CF62

Uniqueness

Uniqueness Score: -1.00%

Function 048039E7, Relevance: 8.5, APIs: 3, Strings: 1, Instructions: 1543memorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00000000,00003000,00000040), ref: 04803CD8
VirtualAllocEx.KERNEL32(04803D51,?,00000000,00000000,00003000,00000040), ref: 04803D4B
ResumeThread.KERNELBASE(?,?), ref: 04803F53

Strings

1i02, xrefs: 04803A7F

Memory Dump Source

Source File: 00000000.00000002.255287063.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false

Similarity

API ID: AllocVirtual$ResumeThread
String ID: 1i02
API String ID: 3804112640-960812804
Opcode ID: 24478221e79a0f73abf9866543e4fc5dcc3d64d51d4a658f6cba0d7d95fa9d62
Instruction ID: fae9c40a8bff9a9670f4bd01114d012e02ed5640d64fc79c77b6c3c0035d70ba
Opcode Fuzzy Hash: 24478221e79a0f73abf9866543e4fc5dcc3d64d51d4a658f6cba0d7d95fa9d62
Instruction Fuzzy Hash: F202F031B002189FDB98DBB9CC547AD7BA6AF84304F248569E909EB2D6DB34ED41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 008FAE31, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 008FAEE1

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b74f963aa76527c02050328eaedcc4a48cfc87d9daba1ef98abdd02a860cf387
Instruction ID: 0572b8f499b84a91e75983a589829f920753f754a73c7301d5def080ee433bff
Opcode Fuzzy Hash: b74f963aa76527c02050328eaedcc4a48cfc87d9daba1ef98abdd02a860cf387
Instruction Fuzzy Hash: 7C315075508384AFE722CF65DC45B66BFF8EF05320F08849EE9858B252D375E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FAA10, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FAAAA

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 9ceed6e93ac93ae3cbe857b90a75602ff645353ed790207786a06935d013432d
Instruction ID: 2787c73930049159769bcf68eda7110ecfefbb281bceb3d354ec0c7717544941
Opcode Fuzzy Hash: 9ceed6e93ac93ae3cbe857b90a75602ff645353ed790207786a06935d013432d
Instruction Fuzzy Hash: DF21E9B25093846FE7128F25DC45BA6BFB8EF46320F0884DAE985DB153D2249949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FAB09, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FAB9A

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: c9d0ccec383d08f49917d69dae56c2440a5891f4cd4602e593ac39feb5d78573
Instruction ID: aa6e3fdd3e9aba4e69c1307eef68e2ee1ddb4ad195b7238a46250fdd0b9ce07e
Opcode Fuzzy Hash: c9d0ccec383d08f49917d69dae56c2440a5891f4cd4602e593ac39feb5d78573
Instruction Fuzzy Hash: 8721A3B15093846FE7228F25DC45F66BFACEF46320F0884AAE945DB152D264E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FB518, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FB5A8

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 7876d4b792109e56a80b46df98629d72768a3c2649b633134c768b83f1e84001
Instruction ID: 5b1fe96490fcd24db047694ba438a84b5265051c867c2bc40262c41b43165cad
Opcode Fuzzy Hash: 7876d4b792109e56a80b46df98629d72768a3c2649b633134c768b83f1e84001
Instruction Fuzzy Hash: 1321B5715093846FEB128B25DC85F96BFA8EF46310F0884EBE984DF193D264A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FAC00, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 008FACA6

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 49ab0ca2cc60a39a3a70d1740d3c5fdca0060679eece70176e89fb64f6c7f50a
Instruction ID: 7a8e1accf25b29573aeca596c5e28ac4713c1a479724058c9c818a75ba89331f
Opcode Fuzzy Hash: 49ab0ca2cc60a39a3a70d1740d3c5fdca0060679eece70176e89fb64f6c7f50a
Instruction Fuzzy Hash: 2C21AD715093C06FD7128B65CC55B66BFB8EF87610F0980DBD8848B1A3D624A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 008FAF38, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FAFCD

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b09224543d6fbe63707b3683ee60f9860832cefe99af0df8df57c2ff767d6179
Instruction ID: c0258ebf6ec6c72d516de41a5545d9b8124dc04d638134ba5496d6f762cc3551
Opcode Fuzzy Hash: b09224543d6fbe63707b3683ee60f9860832cefe99af0df8df57c2ff767d6179
Instruction Fuzzy Hash: 15213AB54097806FE7138B25DC40BA2BFACEF47720F18C4DAED848B193D2645909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FAE62, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 008FAEE1

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb676fd617fbc08473c32aa32926a89a23fdcf2451a4f09f645ccbddce4efde5
Instruction ID: 19c12672a2b137109d5a505296ff392db3b72d34e7c17e45c9ebd4fa40f051cf
Opcode Fuzzy Hash: fb676fd617fbc08473c32aa32926a89a23fdcf2451a4f09f645ccbddce4efde5
Instruction Fuzzy Hash: 86216DB1504244AFEB21DF65DD45B66FBE8FF04320F18846AEA898B251D771E404CA76

Uniqueness

Uniqueness Score: -1.00%

Function 008FB008, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FB099

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a892f7ccc0f15bec64be6c050c88106442430b3ba01b5bd08c181436eff7a967
Instruction ID: 64b6ad726334675ec24bc9b8e2c02a5f119b5204098753a16aab2856dcb7710d
Opcode Fuzzy Hash: a892f7ccc0f15bec64be6c050c88106442430b3ba01b5bd08c181436eff7a967
Instruction Fuzzy Hash: 77219271409784AFD7228F25DC44F66BFB8EF46314F08849FE9449B153C225A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FB45B, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB4DC

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e2eb5965c61a680df591ea21f7af74cb2b6ebc669de6db2df947ddd80a3ee243
Instruction ID: a4f681a852a44348839378fd39c7a4a971b990faa5fab8cf7818ae17c3469ec2
Opcode Fuzzy Hash: e2eb5965c61a680df591ea21f7af74cb2b6ebc669de6db2df947ddd80a3ee243
Instruction Fuzzy Hash: 9B2190755093C59FDB128F25DC50A62FFB4EF07310F0884DAE9858F163D265A948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FAB36, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FAB9A

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 2490dc559aeeb6f67b3490d8a85860edd5b674a29fd25fdb4e090e530d7b1e7c
Instruction ID: 0346edb35bef8101f7fd6a019aa2d48349defaa7d6ecd89e05396b945cbbf58c
Opcode Fuzzy Hash: 2490dc559aeeb6f67b3490d8a85860edd5b674a29fd25fdb4e090e530d7b1e7c
Instruction Fuzzy Hash: DC117FB1504204AFEB20CF65DC85F6ABBE8EF44720F14C4AAED49DB251D674E844CA72

Uniqueness

Uniqueness Score: -1.00%

Function 008FA597, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 008FA606

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 04c04249830bc605145edde20d0b1ac6decfa0f8cce3b647d664e69b66751ae1
Instruction ID: 67a44c99ca39b48342e6c6ec1b3dad4e9865e4480275d81d51cfe6fa9789a431
Opcode Fuzzy Hash: 04c04249830bc605145edde20d0b1ac6decfa0f8cce3b647d664e69b66751ae1
Instruction Fuzzy Hash: 832187B15053845FD711CF65DC44B62BFA8EF55620F0884AAED45CB252D275E814CB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FACDC, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 008FAD56

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 108bf591938be90753494fbc3728a3764ab74ecb36cb22f41f6e1e5c34438820
Instruction ID: 1faf3ebde6b9f0e6eb4bd79d17d31811ec79e52911c8cf9d4d4d48bdcb7af36f
Opcode Fuzzy Hash: 108bf591938be90753494fbc3728a3764ab74ecb36cb22f41f6e1e5c34438820
Instruction Fuzzy Hash: CE21577140D3C09FDB138B649C94A56BFB4EF57220F0984EBD9848F1A3D228A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FAA4E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FAAAA

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 5642b4ac491de25a69cbe9f8537a6a60d5699acbc4832c78f10decf5292c1945
Instruction ID: ac9b4be999826e28376c0b5f8da215dad387d4f858c786c4f5f40dd8b32881ce
Opcode Fuzzy Hash: 5642b4ac491de25a69cbe9f8537a6a60d5699acbc4832c78f10decf5292c1945
Instruction Fuzzy Hash: BC11C471504204AFEB21CF69ED85B6BFBE8EF44720F14C46AEE49DB241D674A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB552, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FB5A8

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 38922c68f0391071e2365e8926f0e0dd91d4724eb7b1c28c8ad8912fc90f3d82
Instruction ID: 0eeca5a02f071a6b8375c06c7f42ffa48c482a5abf62073921bee059c3209a25
Opcode Fuzzy Hash: 38922c68f0391071e2365e8926f0e0dd91d4724eb7b1c28c8ad8912fc90f3d82
Instruction Fuzzy Hash: 3811A371504204AFEB10DF2AEC85BAAFB9CEF48721F1484AAED45DB241D678A8048B71

Uniqueness

Uniqueness Score: -1.00%

Function 008FB03A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FB099

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: fe8a0afa5039c65c9c963042da298e637894aa0dc60ca3eeac7ee30302e20bbb
Instruction ID: f7fb74f2b47b60a76c3f2f0c68f96ba0352e5d3314eb9036ade21c66655cbae4
Opcode Fuzzy Hash: fe8a0afa5039c65c9c963042da298e637894aa0dc60ca3eeac7ee30302e20bbb
Instruction Fuzzy Hash: 7B11B271400604AFEB218F65DC44B6BFBA8EF48720F14846AEE45DB251C775A4058F71

Uniqueness

Uniqueness Score: -1.00%

Function 008FB30F, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB374

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5531f52f998b1fda1638abeec39b8f6a08f3c47cb92bca536c9e78cedc7327a3
Instruction ID: 03c576ec72263171c6d55fc16f997b14f60ae3fe711c896b370830da6cec040e
Opcode Fuzzy Hash: 5531f52f998b1fda1638abeec39b8f6a08f3c47cb92bca536c9e78cedc7327a3
Instruction Fuzzy Hash: 7A11D3764097809FDB228F21DC40A52FFB4EF56320F08C0DEED858A662C275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FB268, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 008FB2C7

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 628ac1440484d61d8b0b019c7ef2359fe649103ef4d65a8316528b6bfffb194c
Instruction ID: f98d762ccf4ef2633bec93dd90fba838a02e0aa9dba91c43ea6ee05fbbb7719f
Opcode Fuzzy Hash: 628ac1440484d61d8b0b019c7ef2359fe649103ef4d65a8316528b6bfffb194c
Instruction Fuzzy Hash: AF118F755093849FD7118F25DC85B66FFE8EF06320F0980AAED458B262D375A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FA5BE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 008FA606

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bc7bbf2aeaaedf52098497b7a66c71f50061fa8ec37e17066dbc8d9f0507bdd4
Instruction ID: fbb253304fbd5d6017863a77b9147ab0d7ddaff781ee2542c8b4be3e84c98cb7
Opcode Fuzzy Hash: bc7bbf2aeaaedf52098497b7a66c71f50061fa8ec37e17066dbc8d9f0507bdd4
Instruction Fuzzy Hash: F911A1B1A042448FDB24CF79D885766FBE8EF14720F08C4AADE49CB245D274E804CE72

Uniqueness

Uniqueness Score: -1.00%

Function 008FA88C, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA8DC

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c79b9f5b24799b8c1a47a87a42cf21275e63e2c9d0ae801f02147c9b2717b45e
Instruction ID: 42894a6b482fa913a2d3142c339cd5f7dbd7cf28188379b1c2e73a7035e2295e
Opcode Fuzzy Hash: c79b9f5b24799b8c1a47a87a42cf21275e63e2c9d0ae801f02147c9b2717b45e
Instruction Fuzzy Hash: 9F11A0715093849FDB118F25DC84B56BFA4EF46220F0984AAED89CF262D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA464, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA4B4

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e706d3fdfe28beb7e73ea763f5308848e4e344c223c73174d26b866184432ef6
Instruction ID: 5c9f085c45b02be8dece38d16172746844604c816adaeaa474edd9ddd5c4b833
Opcode Fuzzy Hash: e706d3fdfe28beb7e73ea763f5308848e4e344c223c73174d26b866184432ef6
Instruction Fuzzy Hash: 2711C2715093849FDB11CF25DC85B56FFE4EF45220F08C4AAED49CF262C279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FAF7A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,32306931,00000000,00000000,00000000,00000000), ref: 008FAFCD

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4865d60e904bdf4e434fa89cc4aea22bbf113173dbf53253a727a13bf0af062c
Instruction ID: 05a6c6c2dec77e8274cdc2a7181c81dd63360678247512718600736f6765b4eb
Opcode Fuzzy Hash: 4865d60e904bdf4e434fa89cc4aea22bbf113173dbf53253a727a13bf0af062c
Instruction Fuzzy Hash: 1101D6B1504604AFEB20DB2ADC85B76FBD8EF44720F14C09AEE49DF241C674A5458A72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB496, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB4DC

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d6cbca10c02849d95e37dbce2940e515a59907847b4d13f49da82713beee1aff
Instruction ID: 1ec2050fb2f3f533e48938bb181e3c32e1e7693f8c69df9351dc917f4641fa5c
Opcode Fuzzy Hash: d6cbca10c02849d95e37dbce2940e515a59907847b4d13f49da82713beee1aff
Instruction Fuzzy Hash: D0018B355002089FDB20CF25D884B66FBA4EF18720F08C4AADE458B662D375E848DF61

Uniqueness

Uniqueness Score: -1.00%

Function 008FAC56, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 008FACA6

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 8208e2c06665ed61825e571dd8bdfe12024e656bd0761e0206c41f430212cda7
Instruction ID: 344b4c8832dad8ab1b679dd94a1cdb6001dc913b49c38bc1a5917cd7e00933b0
Opcode Fuzzy Hash: 8208e2c06665ed61825e571dd8bdfe12024e656bd0761e0206c41f430212cda7
Instruction Fuzzy Hash: 02017171900200AFD710DF26DC86B26FBA8EB88B20F14C16AED089B645D635F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008FB28A, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 008FB2C7

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 38e86fea9f346f232d9095bc3f5feefdb5b195504951d02466df8f2d4c1596cf
Instruction ID: a7595894251d25b7d5141509f047995e5606147342b595acc02e9cb727b5544d
Opcode Fuzzy Hash: 38e86fea9f346f232d9095bc3f5feefdb5b195504951d02466df8f2d4c1596cf
Instruction Fuzzy Hash: 69015E75A046488FDB208F2AD885769FBA4FF05720F08C0AADE45CB656D775E848CE61

Uniqueness

Uniqueness Score: -1.00%

Function 008FADB0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008FAE00

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 385c8aeaae4bd326407a4f7e76db953d46ca01d3176319ab518294661b736452
Instruction ID: 9231322fd3f79009542e785784b3a76b41b7822d55d353842cf3811d8fb4874c
Opcode Fuzzy Hash: 385c8aeaae4bd326407a4f7e76db953d46ca01d3176319ab518294661b736452
Instruction Fuzzy Hash: D9016D759093849FD7118F15DC85B52FFA4EF56320F08C4EAED498B262D275A848CF62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA482, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA4B4

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 81b67530f13e1231861cb084e0c5cd573ba6799dbdfdd5989fce9060dcad23d9
Instruction ID: 17fa65dcef241cdd077a150f1190290745085111211bac637a302d0f1bd83b91
Opcode Fuzzy Hash: 81b67530f13e1231861cb084e0c5cd573ba6799dbdfdd5989fce9060dcad23d9
Instruction Fuzzy Hash: 1E01F7719042449FDB14CF29E889765FB94EF50330F18C0AADD49CF646D2B49444CF72

Uniqueness

Uniqueness Score: -1.00%

Function 008FA8AA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA8DC

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9bfdfb79d2ca549346cac2707511fb372b8a1e18cc8183ae7e26c2347366ddda
Instruction ID: 5db8f6ed87687b111cc770bb0fa77edb45296e8978fc03677653972db4a342bb
Opcode Fuzzy Hash: 9bfdfb79d2ca549346cac2707511fb372b8a1e18cc8183ae7e26c2347366ddda
Instruction Fuzzy Hash: FA01BC71A042488FDB148F29E884766FBA4EF40330F18C0BADD49CB646D2B4A808CF72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB336, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB374

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6a96045ab400d7a816c7842c6ae5556ba0092df62fd2848ccd0888177d7d9692
Instruction ID: 8fde4e97d3ec19139a1133a787cf44f5f98fca2ae2dc6d3bad4033cb8abc92d5
Opcode Fuzzy Hash: 6a96045ab400d7a816c7842c6ae5556ba0092df62fd2848ccd0888177d7d9692
Instruction Fuzzy Hash: B2018C365006049FDB208F25E884B66FBE4FF04320F18C4AEEE868A665D371E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 008FAD1E, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 008FAD56

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 0a314fb7877af47d427e79278c751cb6ce93c5e4d6d49ebcb5038094850b4089
Instruction ID: e7f975c6bac2b08ab9350c6a51d94038b2ac134f4bf0a76e7dcfe892ac1c4d6b
Opcode Fuzzy Hash: 0a314fb7877af47d427e79278c751cb6ce93c5e4d6d49ebcb5038094850b4089
Instruction Fuzzy Hash: 39018F718042449FDB20DF65E884B65FBA4FF44321F18C4AADE498B616D275A408CF72

Uniqueness

Uniqueness Score: -1.00%

Function 008FADCE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008FAE00

Memory Dump Source

Source File: 00000000.00000002.254832771.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ed6715602512f412c3436fba25057374221c590c8edc378f46358c098bc7afb0
Instruction ID: 7c9f7b4aabbfe89aec8eaac3be60e1156608badeb27bfc899c3bdb3e870a9aa0
Opcode Fuzzy Hash: ed6715602512f412c3436fba25057374221c590c8edc378f46358c098bc7afb0
Instruction Fuzzy Hash: B1F0AF759042489FDB248F15E884765FBA0EF04730F18C0AADE498B656D2B5A448CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 008F2477, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

1Fr<, xrefs: 008F24AC

Memory Dump Source

Source File: 00000000.00000002.254827501.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID: 1Fr<
API String ID: 0-799200857
Opcode ID: d2829ff7cd37372e235a6eaaf84414d08d711b44b7e77751bc959d0eabe57254
Instruction ID: 6ffd19bd24002d6ce13426adde3d14a47788c3390207f9d50b22dd1f76b140eb
Opcode Fuzzy Hash: d2829ff7cd37372e235a6eaaf84414d08d711b44b7e77751bc959d0eabe57254
Instruction Fuzzy Hash: 52716BA264E7DA4FCB038B3468641B47F71FB2732574A40EBC684CF0E3E254484A876A

Uniqueness

Uniqueness Score: -1.00%

Function 009705D1, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254898596.0000000000970000.00000040.00000040.sdmp, Offset: 00970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c61764b162ac8d40a053462ea27578fc2d80930e6fa9930b4b79af1d90525e1
Instruction ID: b5396b6777142f3c122c52c08ea86158a8e82d009a57ae59cb5b7fccb24066fc
Opcode Fuzzy Hash: 7c61764b162ac8d40a053462ea27578fc2d80930e6fa9930b4b79af1d90525e1
Instruction Fuzzy Hash: 5DF0A9B65093906FD7128F06EC50867FFB8DB86620749C0AFEC498B652D225B908CB75

Uniqueness

Uniqueness Score: -1.00%

Function 009705F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254898596.0000000000970000.00000040.00000040.sdmp, Offset: 00970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabb0e6565c60e8efbb837ddcdfbef4ed7f85e801fab55622e193151e8385658
Instruction ID: cad4dc94bcc77192bc237cb963ebc8862250c379270cb698b19ba56caca16ea2
Opcode Fuzzy Hash: dabb0e6565c60e8efbb837ddcdfbef4ed7f85e801fab55622e193151e8385658
Instruction Fuzzy Hash: C5E09276A446005BD750CF0AEC81456F7E8EB84630718C07FDC0D8B710D535B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 008F23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254827501.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de0a14159b09a7a88ac7562480504579247d6ebc0ef2455bccb62b0c7dbbb98
Instruction ID: 49e697b8e906c93190ddd140d94407abdcdbb8c4f02b2abdbeef093b6979720e
Opcode Fuzzy Hash: 9de0a14159b09a7a88ac7562480504579247d6ebc0ef2455bccb62b0c7dbbb98
Instruction Fuzzy Hash: 4FD05E79205A814FD327CA2CD1A8BA53B94FB61B04F4644FEE800CB663C3A8D981D610

Uniqueness

Uniqueness Score: -1.00%

Function 008F23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254827501.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c34bf1722d8d72c9b0ad46983e5a320b22727686f19fe2dfde5c55c8c854d2c
Instruction ID: c17bedd7bb14441675bd13045861bbdf8d5e980c489f34d0ca03a90cff47a86e
Opcode Fuzzy Hash: 0c34bf1722d8d72c9b0ad46983e5a320b22727686f19fe2dfde5c55c8c854d2c
Instruction Fuzzy Hash: 30D017742006854BC725DA1CC194F6937D4BB81B00F0644E9AC008B362C7A8D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: aspnet_compiler.exe PID: 6504 Parent PID: 6480 aspnet_compiler.exeCOMMON

Executed Functions

Function 02CC96D8, Relevance: 4.7, Strings: 3, Instructions: 952COMMON

Download Yara Rule

Strings

D0m, xrefs: 02CC9B20
D0m, xrefs: 02CC9BAD
D0m, xrefs: 02CC9CAD

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID:
String ID: D0m$D0m$D0m
API String ID: 0-2624661981
Opcode ID: 8b9e558a6e46ba5c6cd6934b8d7101cc68b302de90d62ce18a2e9ea4c3aac0e5
Instruction ID: 6fafe2e532cdbe7b64f1bb9ebcf763d1cf0afa555b0753187dd992579cefb093
Opcode Fuzzy Hash: 8b9e558a6e46ba5c6cd6934b8d7101cc68b302de90d62ce18a2e9ea4c3aac0e5
Instruction Fuzzy Hash: E3826D70A00219DFCB14CFA9C898AAEBBF6BF88304F258569E405DB365DB35DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CCBF60, Relevance: 2.6, Strings: 1, Instructions: 1315COMMON

Download Yara Rule

Strings

D0m, xrefs: 02CCD425

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EmptyWorking
String ID: D0m
API String ID: 3204950828-2549388878
Opcode ID: 0dfe399517128839c39d884d23ab6d27e9b5221b3f85d567ba35425bd8f8baa8
Instruction ID: f5ea9200273b75240b2c455ab45bec0cbf6ef3ac833025e950fe62f663472abe
Opcode Fuzzy Hash: 0dfe399517128839c39d884d23ab6d27e9b5221b3f85d567ba35425bd8f8baa8
Instruction Fuzzy Hash: F7C27D74F402148FDB68DB74C858BAEB6F2AF88340F2481A9D50AAB395DF359D81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02CCCEC8, Relevance: .9, Instructions: 916COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EmptyWorking
String ID:
API String ID: 3204950828-0
Opcode ID: 6bf98f5647e33e700429bf119b9313fadfe6d53766568f9dd5f0746b445f31cb
Instruction ID: b19c8f277d0880d2c534541d2e9091738cd443b6e0a3886247452bbcba2dff68
Opcode Fuzzy Hash: 6bf98f5647e33e700429bf119b9313fadfe6d53766568f9dd5f0746b445f31cb
Instruction Fuzzy Hash: EB825C74B402248FEB64EB74C858BAEB6F2AF88740F1481A9D50DEB395DF359D818F41

Uniqueness

Uniqueness Score: -1.00%

Function 02CCA428, Relevance: .9, Instructions: 908COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8916f408dc16c31d987d9c9f83a9afc8834556330313ee153b6a61eb6243b671
Instruction ID: 2e72e104daa41afffc9bd482f4af2f409315387cdf237aa6c086aa8e04c23c58
Opcode Fuzzy Hash: 8916f408dc16c31d987d9c9f83a9afc8834556330313ee153b6a61eb6243b671
Instruction Fuzzy Hash: 65826B71A00209DFCB14DF69C488AAEBBF2BF88314F2585ADE449DB265D731ED41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02CCBF50, Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EmptyWorking
String ID:
API String ID: 3204950828-0
Opcode ID: af72a1af08c2709581ad8f13b434c2af7e5660712f628ffe265979a45dd98f83
Instruction ID: 179bc25f547768dd1e0e33b7c6f5cff5ff87ab1a36ed71f7b732480a7f1c250b
Opcode Fuzzy Hash: af72a1af08c2709581ad8f13b434c2af7e5660712f628ffe265979a45dd98f83
Instruction Fuzzy Hash: FE528D74B402189FEB64DB748C64BAAB6F7AFC8700F14C1A9E509AB395CF319D818F11

Uniqueness

Uniqueness Score: -1.00%

Function 02CC7408, Relevance: 5.1, APIs: 3, Instructions: 624processmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 02CC76A8

Part of subcall function 02CC6954: WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000001), ref: 02CC7F54

ResumeThread.KERNELBASE(?), ref: 02CC7947
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02CC7C54

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Process$AllocCreateMemoryResumeThreadVirtualWrite
String ID:
API String ID: 4053986453-0
Opcode ID: b40a8f1b8670c76a2048e45084aa78edc35d126e12710d498ef968b498be90c4
Instruction ID: 1f9772dcd46360d52b08d7ab719b5339a711bb78a8002cd0f3fd222dad57e1be
Opcode Fuzzy Hash: b40a8f1b8670c76a2048e45084aa78edc35d126e12710d498ef968b498be90c4
Instruction Fuzzy Hash: 5A329171A002199FDF14DFA5C8547EEB7B6EF84308F2481ADD409AB381DB349A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02CC73FF, Relevance: 3.4, APIs: 2, Instructions: 387processmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 02CC76A8

Part of subcall function 02CC6954: WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000001), ref: 02CC7F54

ResumeThread.KERNELBASE(?), ref: 02CC7947
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02CC7C54

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: Process$AllocCreateMemoryResumeThreadVirtualWrite
String ID:
API String ID: 4053986453-0
Opcode ID: 95e07a8af3896fa956d4ece31e854a6b7c186bfb937e315d95bc4c618a41e5b9
Instruction ID: f42b5b60fe7b9ac83ed4df35bfea8d852fa641ab8a44d3d812fe5a201c4bd840
Opcode Fuzzy Hash: 95e07a8af3896fa956d4ece31e854a6b7c186bfb937e315d95bc4c618a41e5b9
Instruction Fuzzy Hash: F7E16070A002199FDB14CFA5CD447EEB7BAEF88308F248169D509AB395DB74DA89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6930, Relevance: 1.6, APIs: 1, Instructions: 142processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 02CC7C54

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9cd1f97acef1aece29e1cc792aa7f76b31b35756ed9a35b8ad37bdf67200b450
Instruction ID: 40ed780031b9b6e182a280ceee97499358caabd7d31a2aed873b1f249c6219da
Opcode Fuzzy Hash: 9cd1f97acef1aece29e1cc792aa7f76b31b35756ed9a35b8ad37bdf67200b450
Instruction Fuzzy Hash: 04512671900229DFDF20CF95C894BDEBBB9FF48304F1084AAE909A7240D7719A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6954, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000001), ref: 02CC7F54

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e9bd1b952dbaa4ac2a18a4fb8da39028df72b4d60c95503552753e09b2574840
Instruction ID: 0076f5bb660d6932f7d775959b1984ed796712c0de784e47962b2bf2f6cd659b
Opcode Fuzzy Hash: e9bd1b952dbaa4ac2a18a4fb8da39028df72b4d60c95503552753e09b2574840
Instruction Fuzzy Hash: D621E6B19002099FCB10CF9AD984BDEFBF8FF48314F548469E918A7241D379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC7ED0, Relevance: 1.6, APIs: 1, Instructions: 64injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000001), ref: 02CC7F54

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 59b0a83b3b607aea62dc215dd9ca00131eb376a0b4edf9d508127980ee287424
Instruction ID: 630bcf0dd969f01252c8e9ed4387ae8ad3b8e8d0c9f955b86a673425ce71f363
Opcode Fuzzy Hash: 59b0a83b3b607aea62dc215dd9ca00131eb376a0b4edf9d508127980ee287424
Instruction Fuzzy Hash: 702105B19002099FCB10CFA9D984BDEBBF8FB48314F148429E918A7200D379AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6948, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02CC75C6,?,00000004,?), ref: 02CC7E81

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f7a9471f88e67c61ad96dd537b4dd0670895d701788bbf58ec6919dacd172d26
Instruction ID: b49eb99bdda2cbfe0b8f22b879f7ab4949bed777cb713de4b49013411b4d4073
Opcode Fuzzy Hash: f7a9471f88e67c61ad96dd537b4dd0670895d701788bbf58ec6919dacd172d26
Instruction Fuzzy Hash: 9221F3B19002499FCB10CF9AD984BDEFBF8FB48314F10842EE918A7201C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC6960, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000,?,?,?,?,00000000,?,?,?,02CC7582), ref: 02CC7DBB

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 677f3268aae1b41da2c8d8798af9a1c7306cc23864b5731e03f7d122117554fb
Instruction ID: 8d7ef1d229c0c3e6c88b73e592e61bd3e4d5cd0e98fc996d9b5f26230835716b
Opcode Fuzzy Hash: 677f3268aae1b41da2c8d8798af9a1c7306cc23864b5731e03f7d122117554fb
Instruction Fuzzy Hash: 082136B1D002098FCB20CFAAC844BEEFBF8EB88324F148469D559A3340D778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC693C, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000,?,?,?,?,00000000,?,?,?,02CC7582), ref: 02CC7DBB

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7e9169b345c26e172095e17d7ab60303f46d9f9ad617e9044b9291266a918621
Instruction ID: d7526496544efd658a80cf659b40fcb74bd5cd0a734c1cf7d82745e91c10999a
Opcode Fuzzy Hash: 7e9169b345c26e172095e17d7ab60303f46d9f9ad617e9044b9291266a918621
Instruction Fuzzy Hash: 2D2106B19006099FCB20CFAAD844BEEFBF8EB88324F148469D559A3740D778A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02CC7E08, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,02CC75C6,?,00000004,?), ref: 02CC7E81

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f7a4e33f4b6f4f07cb03445a6342c96e8112145e82e7062406592f62a05e1a19
Instruction ID: b7c0194ccde5cf28d6239c9830e60e6fa849f1793aedd22adde6bf142e7c2436
Opcode Fuzzy Hash: f7a4e33f4b6f4f07cb03445a6342c96e8112145e82e7062406592f62a05e1a19
Instruction Fuzzy Hash: 0D21F3B1D002599FCB10CF99D984BDEFBF8FB48314F10842AE918A7201C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CC7D49, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000,?,?,?,?,00000000,?,?,?,02CC7582), ref: 02CC7DBB

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b3db59e670f5e17561fabfa1e93265bc0796c7cfd8d7b25240c03a7e445ac4f8
Instruction ID: dd9ca7a4b4db3d5c758228ae2712b2b39319ab55e35503e3626fd827d15bb649
Opcode Fuzzy Hash: b3db59e670f5e17561fabfa1e93265bc0796c7cfd8d7b25240c03a7e445ac4f8
Instruction Fuzzy Hash: 3D2138B1D002098FCB20CFAAC845BEEFBF8EB88324F148569D458A3340D738A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCFF00, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 02CCFF4E

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 75a0c803641d46ff61b9bbbc5415974314d07db7aca04e82fe34c9d483eecdae
Instruction ID: efc8a54e2376d43e02dc2fd6611b1b39ba8dbcbf9541cdc110805f7a0ba705d4
Opcode Fuzzy Hash: 75a0c803641d46ff61b9bbbc5415974314d07db7aca04e82fe34c9d483eecdae
Instruction Fuzzy Hash: 962100B0D403588EDB20CF9AC44979EBBF8AB09354F24846ED55AA7640C3796588CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCD548, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

K32EmptyWorkingSet.KERNEL32(?,?), ref: 02CCD5B2

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EmptyWorking
String ID:
API String ID: 3204950828-0
Opcode ID: 7a96b26ea0135ddecafdae01cc1647038bc18984c959521e48ddcfb07c17183a
Instruction ID: b086ebf9752936ed79b573e2679e96524041f520b64c569df16626d394558561
Opcode Fuzzy Hash: 7a96b26ea0135ddecafdae01cc1647038bc18984c959521e48ddcfb07c17183a
Instruction Fuzzy Hash: D41137B19002099FCB20CF99C485BEEBBF8FF48324F148429E559A3340D739A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CCB7FC, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

K32EmptyWorkingSet.KERNEL32(?,?), ref: 02CCD5B2

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID: EmptyWorking
String ID:
API String ID: 3204950828-0
Opcode ID: 7a4f36c389a7cab71d61c32cda9ec5aa234fc4984658e0537c5cbac35f3f97a5
Instruction ID: a1e683709e5c04a9266a8eef555e98cc0f57a7bee137036045226f42688e8c91
Opcode Fuzzy Hash: 7a4f36c389a7cab71d61c32cda9ec5aa234fc4984658e0537c5cbac35f3f97a5
Instruction Fuzzy Hash: 8C1137B19002099FCB20CF99C844BEEBBF8FB48324F148469E555A7340D739AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02CCBFCB, Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ede11e55bcd119976d1f3381d90ccdb9f197c70e19f63582f5c41c7ae4d49d
Instruction ID: ac40935608798f3871c773c05255ff6b37766488a9e4576eecd483351ab3affd
Opcode Fuzzy Hash: 74ede11e55bcd119976d1f3381d90ccdb9f197c70e19f63582f5c41c7ae4d49d
Instruction Fuzzy Hash: 29427C74B402149FEB64DB758C64BAAB6E7AFC8700F14C1A9E50DAB395DF319D818F01

Uniqueness

Uniqueness Score: -1.00%

Function 02CCBFE6, Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f4251988013a5965221f8b725c575a8ab9fced671fd8a5ac53202e1d73a232
Instruction ID: f7e736d443e36bebb8f68fe2f43734731d70244f4fb6ee5d75f17a1a4f0cfd87
Opcode Fuzzy Hash: 25f4251988013a5965221f8b725c575a8ab9fced671fd8a5ac53202e1d73a232
Instruction Fuzzy Hash: CA427C74B402189FEB64DB758C64BAAB6E7AFC8700F14C1A9E50DAB395DF319D818F01

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0BF8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b18ed3d87d742844bb76590cf4c87e16a682256610b49a9dc80b1558b7f570
Instruction ID: c4ec7c4296b48fc2895b15ac888f648445b44a99219ce91c7f00dd1deaa22b83
Opcode Fuzzy Hash: 80b18ed3d87d742844bb76590cf4c87e16a682256610b49a9dc80b1558b7f570
Instruction Fuzzy Hash: 3631F0349062818FD75AEF72E84029A7BE3ABC9744B14C939C488CF27DEF755906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02CC0C08, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.265264749.0000000002CC0000.00000040.00000001.sdmp, Offset: 02CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46738849e9183cbc2898e3d31eafb3878d116bcd66226c7595689ca0571d7003
Instruction ID: 627b3f1c0155809b77a79e0f08334cf9d764f604059cc1f194f9351f27e95b50
Opcode Fuzzy Hash: 46738849e9183cbc2898e3d31eafb3878d116bcd66226c7595689ca0571d7003
Instruction Fuzzy Hash: 00319E74A022818FD799FF76E44029A7AE3ABC8744B14C939C488CB27CEF755506CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_compiler.exe PID: 6564 Parent PID: 6504 aspnet_compiler.exeCOMMON

Executed Functions

Function 02800948, Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

$,m, xrefs: 02800965

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID: $,m
API String ID: 0-3119397721
Opcode ID: 1e63b763be80600c432e3ac17f6f4fce6f9299dc54dd008a038b091c51d934f4
Instruction ID: e92f0bc84c3388f6c3945eb6d0288feddcffb05d6d38302f379a2a6778974e2e
Opcode Fuzzy Hash: 1e63b763be80600c432e3ac17f6f4fce6f9299dc54dd008a038b091c51d934f4
Instruction Fuzzy Hash: B8F05938604E448FD767E3BCD4A2B99BBF19F8B11970844DAD405CB2A6EB209D06C752

Uniqueness

Uniqueness Score: -1.00%

Function 02800958, Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

$,m, xrefs: 02800965

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID: $,m
API String ID: 0-3119397721
Opcode ID: 4f6e4d30135d71482123b2d3fbedfa0506200fde28f69b38a977b409df80fdaa
Instruction ID: 3ced7e72476245696b9562cc2fa0ff38a9d8ecf8ebbd8562c23f106e6834465b
Opcode Fuzzy Hash: 4f6e4d30135d71482123b2d3fbedfa0506200fde28f69b38a977b409df80fdaa
Instruction Fuzzy Hash: B4E0D879200D048FDA55F7ACD445B99B3D9DF8A219B0408A4E009CB378EF709D428791

Uniqueness

Uniqueness Score: -1.00%

Function 028002DC, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84a4da29b6c3102fc2ce48564277f7f016e836346c7738d01a94da01bfb92b
Instruction ID: 101d38b3d7aa1b6bfb6067f808dad050005bbed0f2368cd42d2382c60ea8a7a8
Opcode Fuzzy Hash: 2c84a4da29b6c3102fc2ce48564277f7f016e836346c7738d01a94da01bfb92b
Instruction Fuzzy Hash: 3741BD39A016048FDB18DBB4D8483EDB7F6AFC9308F158869D805E7391EF749D468B91

Uniqueness

Uniqueness Score: -1.00%

Function 028004B8, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9311d2e62add851e4a4aa5b34b8ffc5e5daec21ca946153b1ef249939e4bde4f
Instruction ID: 54711311042cb256a85bb74f0d6b7537eff37e026c969b267126222addd5a0aa
Opcode Fuzzy Hash: 9311d2e62add851e4a4aa5b34b8ffc5e5daec21ca946153b1ef249939e4bde4f
Instruction Fuzzy Hash: 4E61B139B00A048FDB25EBB8E8407ADB3E6EFC9318F148969D805D7354DF70AD468B91

Uniqueness

Uniqueness Score: -1.00%

Function 028004B7, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87388ef7cf1dd07b76b5b3da92c8a9c7fd1200b32ae7cc574706d88663231867
Instruction ID: f1f54c79513502c6b69cd8c8aa474bd308b7b317ef58932f4b77432db28a70c6
Opcode Fuzzy Hash: 87388ef7cf1dd07b76b5b3da92c8a9c7fd1200b32ae7cc574706d88663231867
Instruction Fuzzy Hash: 6741AB39A006049FDB24EBB8D8447EDB7E6AFC8308F258829D805E7390DF749D468B91

Uniqueness

Uniqueness Score: -1.00%

Function 02800827, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e240366cd80ceef7752697c674df3e576c61c98cfcee9efec0bbbd485a55a92
Instruction ID: bad774b9186e41ad1d22619bc820aa22ad3f17fe768916796a4b1946d9d53631
Opcode Fuzzy Hash: 3e240366cd80ceef7752697c674df3e576c61c98cfcee9efec0bbbd485a55a92
Instruction Fuzzy Hash: 2F21F7347106108FCB58AB79D468A6D37E1AF8961932608BCE506DF7B1DF36DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0280052D, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb23542e182840d5916ba33566f17ff0a18963b105275b21da310e11190272c
Instruction ID: d78b4f154967c638b25f9f8fd9c0dea50ef0e198e85a130df46116a9614f11ba
Opcode Fuzzy Hash: efb23542e182840d5916ba33566f17ff0a18963b105275b21da310e11190272c
Instruction Fuzzy Hash: AE21A138B00100CFDF14ABB499583ADB3E2AFC8309F218868D805EB391DF74DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 02800913, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259175263.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7228d8963b4302db12199c0ae177efbcc4631768e73f272a3323959c5d0547d8
Instruction ID: 97a0bd44203d5f0bdf114709c8af78a0e14a9dfc93f303a23aa29238b8f5a038
Opcode Fuzzy Hash: 7228d8963b4302db12199c0ae177efbcc4631768e73f272a3323959c5d0547d8
Instruction Fuzzy Hash: 7CE0683D908784AFEF029B6CA890864BF34EB0B21531400D0E888CB273D3339813CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: SecurityHealthService.exe PID: 6868 Parent PID: 6504 SecurityHealthService.exeCOMMON

Executed Functions

Function 008FA7A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 008FA823

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 405ea00742cdbe2ed669dab7142cd5d7e39e177c5e5db2b979e9fcf2552e4e49
Instruction ID: 2fa5471100ed411898f7ae9d536005f8071a7336a54237ba9f007ddfb43b7fe5
Opcode Fuzzy Hash: 405ea00742cdbe2ed669dab7142cd5d7e39e177c5e5db2b979e9fcf2552e4e49
Instruction Fuzzy Hash: A721A3755097849FDB128F25DC44B62BFB4EF16320F0884EAE985CF163D3759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA7DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 008FA823

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 440b77b03463ae77aba8160c331d2308d209744b9e48aebee2741da922afdbab
Instruction ID: c45d343844c6ccac262a3a245b2013019cf7a4a9d2547039e9694de26f8f23ae
Opcode Fuzzy Hash: 440b77b03463ae77aba8160c331d2308d209744b9e48aebee2741da922afdbab
Instruction Fuzzy Hash: 76114C755007089FDB248F65E884B66FBA4EF04720F08C4AADE4ACB651D375E819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 023839E7, Relevance: 6.0, APIs: 3, Instructions: 1543memorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,00000000,00003000,00000040), ref: 02383CD8
VirtualAllocEx.KERNELBASE(?,?,00000000,00000000,00003000,00000040), ref: 02383D4B
ResumeThread.KERNELBASE(?,?), ref: 02383F53

Memory Dump Source

Source File: 00000008.00000002.268544558.0000000002380000.00000040.00000001.sdmp, Offset: 02380000, based on PE: false

Similarity

API ID: AllocVirtual$ResumeThread
String ID:
API String ID: 3804112640-0
Opcode ID: ce105b8a555ebb43e8f600eb05528bc00f68830122d8addfa6eee701c196db2d
Instruction ID: a4ee5270313942c9a66e891966ed050b25daf1a925555ede95345ad8928ef95b
Opcode Fuzzy Hash: ce105b8a555ebb43e8f600eb05528bc00f68830122d8addfa6eee701c196db2d
Instruction Fuzzy Hash: 0102F171B003299FDB18EBB9C8507AEBBA6AF84308F1480A9D549EF395DB34D945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 008FAE31, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 008FAEE1

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2f3f2a9143f0e19d929cc67efd309ec2940a83ddebd81ad926c50e68c89d1498
Instruction ID: 1577065a464aa4346a9a52b2f748cb86498145031a531b332fc6f4b604981b1d
Opcode Fuzzy Hash: 2f3f2a9143f0e19d929cc67efd309ec2940a83ddebd81ad926c50e68c89d1498
Instruction Fuzzy Hash: 66315075508784AFE722CF65DC85B66BFE8EF05320F08849EE9858B252D375E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FAA10, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FAAAA

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 47bc7762b6886ec5fd470bc25168d912f49c93055d93230656b81c7e2604bc77
Instruction ID: d716d9073ffed7d9d3ffc8f4683fa5836f588167ec4ddd3179f939a459bc7944
Opcode Fuzzy Hash: 47bc7762b6886ec5fd470bc25168d912f49c93055d93230656b81c7e2604bc77
Instruction Fuzzy Hash: 9921E6B25093846FE7128F25DC45FA6BFB8EF46320F0884DAE984DB193D2249949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FAB09, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FAB9A

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 2c36ebda5d1f4794d493502016de455633139e11978f55745b77262d16c2b0c1
Instruction ID: 5346ed72db299e1a74a285fa270550e7b1e880f0c68f681944b46f297e772d4f
Opcode Fuzzy Hash: 2c36ebda5d1f4794d493502016de455633139e11978f55745b77262d16c2b0c1
Instruction Fuzzy Hash: 0021B5B15093846FE722CF65DC45FA6FFACEF46320F0884AAE944DB152D264E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FB518, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FB5A8

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: b74106240abdfdb12cd84c8302885aecb0225792171d4c9c45c51626ba2f6d82
Instruction ID: 3aec635cc34c7420244904777be0355df38f83a619c28fa9300da8992e622140
Opcode Fuzzy Hash: b74106240abdfdb12cd84c8302885aecb0225792171d4c9c45c51626ba2f6d82
Instruction Fuzzy Hash: DD21B5715097846FE7128B25DC85FA6BFA8EF46310F0884EBE984DF193D264A948C761

Uniqueness

Uniqueness Score: -1.00%

Function 008FAC00, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 008FACA6

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: cd49dd95e3c5bc429fd962f2fab7d354a176171d316d8ccbde59f4101798f7d9
Instruction ID: da8de7adbb34522d6bbae2b88d8bba33743dfa142b0229ca1f9580c328cd4034
Opcode Fuzzy Hash: cd49dd95e3c5bc429fd962f2fab7d354a176171d316d8ccbde59f4101798f7d9
Instruction Fuzzy Hash: CF21AD714093C06FD3128B65CC55B66BFB8EF87610F0980DBD8848B2A3D224A919CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 008FAF38, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FAFCD

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 135a5dcb56e95650f979663ae1e6f3d612c0b93473d7d279dbd1350f83fa2cd1
Instruction ID: d4f32a88663c6d455cfd7b7d9c21038c6e51753367d50d70ab972f403e0e032b
Opcode Fuzzy Hash: 135a5dcb56e95650f979663ae1e6f3d612c0b93473d7d279dbd1350f83fa2cd1
Instruction Fuzzy Hash: 12213AB54097846FE7138B25DC41BA2BFACEF47720F1884DAED848B293D2645909C771

Uniqueness

Uniqueness Score: -1.00%

Function 008FAE62, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 008FAEE1

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4551e83586e42e25128f95820b585b7b653a7e31e024a6fbec8d3b1cb2760743
Instruction ID: 9a749d97d5ebabc6604a8394191ba3bd5947d923d00617ba26222c6ff9defb10
Opcode Fuzzy Hash: 4551e83586e42e25128f95820b585b7b653a7e31e024a6fbec8d3b1cb2760743
Instruction Fuzzy Hash: C6218DB1500204AFEB21CF65DD85B66FBE8FF04320F18846AEA898B241D371E4048B76

Uniqueness

Uniqueness Score: -1.00%

Function 008FB008, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FB099

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 67715743345c4065ab19224f6439ab422f1db4384fb9dce5e9233732885810cf
Instruction ID: ba7b203f27a1876e252cc395f75c9e8d4e5c6c68ed44744e643b1078e075a97d
Opcode Fuzzy Hash: 67715743345c4065ab19224f6439ab422f1db4384fb9dce5e9233732885810cf
Instruction Fuzzy Hash: 18219072409784AFD7228F65DC44F66BFB8EF46314F0884DFE9849B193C225A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB45B, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB4DC

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e937f29abb0eebf89f3ee24fb7cdc6433f006bbe038024fe8cb964b081dabbc5
Instruction ID: 72c087496c92e3e2079b715b1c82e3c8179468f3863af8e5a62747ce4318c3cf
Opcode Fuzzy Hash: e937f29abb0eebf89f3ee24fb7cdc6433f006bbe038024fe8cb964b081dabbc5
Instruction Fuzzy Hash: CC2190755097C59FDB128F25DC50AA2FFB4EF07310F0884DAE9848F163D265A948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FA870, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA8DC

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 92cbce6a93d1fd7597df8653ad697e66bb8b31f7e3238c9e2a7effb6c97bac67
Instruction ID: 3db43079a180541db62f64e5604c16ae108f48ab5003318f3c53e1d718d7dec7
Opcode Fuzzy Hash: 92cbce6a93d1fd7597df8653ad697e66bb8b31f7e3238c9e2a7effb6c97bac67
Instruction Fuzzy Hash: F621A1725093C45FDB028B25DC95A92BFB4AF17324F0980EAED858F663D2659908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FAB36, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FAB9A

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 73b8a9428d6325934c3c6d61f9f9962edde5b051a7db9e03834568b353a05f9d
Instruction ID: b928a18f24c35d1e95bcd8deb08fa6f04e348661dafabaeebd1131f93e6eebf8
Opcode Fuzzy Hash: 73b8a9428d6325934c3c6d61f9f9962edde5b051a7db9e03834568b353a05f9d
Instruction Fuzzy Hash: 6D1172715042049FEB20CF65DC85F76BBD8EF04720F1484AAED49DB251D674E844CB71

Uniqueness

Uniqueness Score: -1.00%

Function 008FA597, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 008FA606

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f1cf60b48a035abb42da86c6c1cbcb7fbf18b0beda238ca8cb9162aecfa1530d
Instruction ID: 2b6bbca24c6d27d3977e586f1d08680703271172706868b6d710b27f5f4f2cb4
Opcode Fuzzy Hash: f1cf60b48a035abb42da86c6c1cbcb7fbf18b0beda238ca8cb9162aecfa1530d
Instruction Fuzzy Hash: C721A2B15053845FD722CF65DC84B62BFA8EF16620F0884AAED48CB252D235E808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FACDC, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 008FAD56

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: b566a22c4a920fd531fbc7be309e9a2da2142c8223eb972a41812a40af4f85af
Instruction ID: 76c9f463ae542f5e9a995f7535b7ea36d998d16120de1205eca8342ab9b7d94e
Opcode Fuzzy Hash: b566a22c4a920fd531fbc7be309e9a2da2142c8223eb972a41812a40af4f85af
Instruction Fuzzy Hash: 7221597140D3C49FD7138B649C55A62BFB4EF57220F0984DBD9848F163D2249808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FAA4E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FAAAA

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 825a639dd0b11993e295947d43773cd188dc2a1625673d587fd982124706b62f
Instruction ID: 82a21133b51f2a179d05a1543110e37035b8277aa58477a2fb57347af4c33508
Opcode Fuzzy Hash: 825a639dd0b11993e295947d43773cd188dc2a1625673d587fd982124706b62f
Instruction Fuzzy Hash: CA11B671500204AFEB21CF69DD85B7AFBD8EF44720F14846AED49DB241D274A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB552, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FB5A8

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a2342a9325388c388889fed631a8c540ac21ccc6891328fccf9e132d2539a9c3
Instruction ID: 75f2368c274b9b441a92f01022fc298e15a1671cb4e12a336ec9dedbe7e24591
Opcode Fuzzy Hash: a2342a9325388c388889fed631a8c540ac21ccc6891328fccf9e132d2539a9c3
Instruction Fuzzy Hash: C811A371500204AFEB10DF2AEC85FBAFB9CEF48721F1484AAED45DB241D778A8048B71

Uniqueness

Uniqueness Score: -1.00%

Function 008FAD96, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008FAE00

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 148bb64ef68f3494136d15a1529bcbdede916d3c3e5e64c0b18f11c3d92450a9
Instruction ID: dc09809b1e0972b5c6d7a3b9ae78f6956c60a2b07c7a68065c644a9a56439009
Opcode Fuzzy Hash: 148bb64ef68f3494136d15a1529bcbdede916d3c3e5e64c0b18f11c3d92450a9
Instruction Fuzzy Hash: 8D116AB18093C45FDB138B25DC546A1BFB4EF17324F0980DAED848F263D2656808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB03A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FB099

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 17cf84cbe1999a7c71ca61ba20a9f8d8657b7c0c25c71fa3f04f07ff02269d96
Instruction ID: 3a514145df8a16d8d7b62f15ab165433ec4830b1f686f9e4dae9e74cb6484fec
Opcode Fuzzy Hash: 17cf84cbe1999a7c71ca61ba20a9f8d8657b7c0c25c71fa3f04f07ff02269d96
Instruction Fuzzy Hash: 4611B271400604AFEB218F65DC45FA7FBA8EF48720F1484AAEE45DB241C775A4058B71

Uniqueness

Uniqueness Score: -1.00%

Function 008FB30F, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB374

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7781f71e2228875f8324a1061a8a3abeed33ac155ba88e9e039793eccb99b055
Instruction ID: 9554036dc22f7c0c9952617f02c62d3f250fce86e3820f58c7b95a8e9b250a36
Opcode Fuzzy Hash: 7781f71e2228875f8324a1061a8a3abeed33ac155ba88e9e039793eccb99b055
Instruction Fuzzy Hash: FD11D3764097849FDB228F25DC40A62FFB4EF16320F0880DEED858B262C375A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FA460, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA4B4

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ce37de412eaf05b9604f00b68f22ec458ec6be2c470484419a95344fd9c21f1f
Instruction ID: 87dd9080aade834a60d69a45acadee71008c8cb807ad9c419656b3165905887d
Opcode Fuzzy Hash: ce37de412eaf05b9604f00b68f22ec458ec6be2c470484419a95344fd9c21f1f
Instruction Fuzzy Hash: 4E11A7715093845FD7128F25DC95B62BFA4EF56220F0880EBED45CF652D2799848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FB268, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 008FB2C7

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d6747330b03c5f2f7db7d316c78fe3763759a9320ea41d8442cdaee32dcf734c
Instruction ID: 6a7869873ac94b1edcf292a90a5af2e11087b3bce79c775a13a12de5c71d050f
Opcode Fuzzy Hash: d6747330b03c5f2f7db7d316c78fe3763759a9320ea41d8442cdaee32dcf734c
Instruction Fuzzy Hash: E1118F755093849FD7118F26DC85B66FFE8EF06320F0980AAED458B262D375A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FA5BE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 008FA606

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cb416a1e091177e2a2268b88c1019077cc4155c488c864c68cf574ded9257c09
Instruction ID: e1f58ddcf09a02fbc8f5fe0cf8ea270e561dc85ab95c7b97727a317abd87e092
Opcode Fuzzy Hash: cb416a1e091177e2a2268b88c1019077cc4155c488c864c68cf574ded9257c09
Instruction Fuzzy Hash: B0115EB1A042448FDB24CF69DC85B66FBD8EF14720F18C4AADE49CB245D274E854CA72

Uniqueness

Uniqueness Score: -1.00%

Function 008FAF7A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,1180CB3F,00000000,00000000,00000000,00000000), ref: 008FAFCD

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 13c4c97bb666acaed1560b1867e75a73485c96c4fe03053e0b000c6fe651ae02
Instruction ID: 20da7d296ba1a1567f816e0f2149d1b205daf93448c95e9e5d0acb9f767446b6
Opcode Fuzzy Hash: 13c4c97bb666acaed1560b1867e75a73485c96c4fe03053e0b000c6fe651ae02
Instruction Fuzzy Hash: DC01D6B1500708AFE720DB2ADC85BB6FBD8EF44720F14C09AEE49DF241C674A5458A72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB496, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB4DC

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 205c6d81a27ba7cedf1194a041d7a519e99a469f612d83f2ca1e1e21d312d87e
Instruction ID: 1e5fc62dde406fbccb6027a859cfc34673694b07a05e64843204cb66e6890a1a
Opcode Fuzzy Hash: 205c6d81a27ba7cedf1194a041d7a519e99a469f612d83f2ca1e1e21d312d87e
Instruction Fuzzy Hash: 2A018B355006088FDB20CF29D884B66FBA4EF18720F0884AADE458B652D375E848DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FAC56, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 008FACA6

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 720b36d219809ba7bacc771305c486b59f23674b863dc3ec6fbd55663ad5651b
Instruction ID: 0784a89a23a60d311b85b2432c9f50d241a263d5d619873b0a0c7f79febf48b6
Opcode Fuzzy Hash: 720b36d219809ba7bacc771305c486b59f23674b863dc3ec6fbd55663ad5651b
Instruction Fuzzy Hash: C5017171900600ABD710DF26DC86B76FBA8EB88B20F14816AED089B741E235F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008FB28A, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 008FB2C7

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 69d985a8a2fd8620bfffb85ba199588bb5de52b9669520b6b58ac3237d6b16b7
Instruction ID: 68c70703e59960fcbeed50ce654d38e76bbcf99490d4d49bb6af3c0d40bd6328
Opcode Fuzzy Hash: 69d985a8a2fd8620bfffb85ba199588bb5de52b9669520b6b58ac3237d6b16b7
Instruction Fuzzy Hash: AC017175A046488FDB208F2AD885779FBE4FF05720F08C0AADE45CB656D775E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008FA482, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA4B4

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: febe619eb32f88f556995f3c1f23feb90efdabfbce43fc7726711cb048a4a73f
Instruction ID: 89caa7fe0af9728ae4ba159fa6b8902544eb88a4c45b6a3e12fc6dcae466e052
Opcode Fuzzy Hash: febe619eb32f88f556995f3c1f23feb90efdabfbce43fc7726711cb048a4a73f
Instruction Fuzzy Hash: 5101D4719002448FDB108F29E889775FB94EF10330F18C0AADD49CB242D2B49444CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA8AA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 008FA8DC

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 010c7c4e4af5dcb57fc6af7796b5221dd66709ae7fb48e00b9cb250d88cc97f6
Instruction ID: 7d591b4f364ba154c0083231adfde37882e2193bb118912d8046f216d946b512
Opcode Fuzzy Hash: 010c7c4e4af5dcb57fc6af7796b5221dd66709ae7fb48e00b9cb250d88cc97f6
Instruction Fuzzy Hash: BA01B1719003488FDB108F29E885766FBA4EF00330F18C0BADD49CB642D2B4A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FB336, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 008FB374

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fd9f8d0c52774f667df52b75fb98f07c21b151d81889473e4a2811f48dc3a719
Instruction ID: b61b6dfba171f66080813bdb4beae6b2ef8b3cf04deb67a619dacf66cd111727
Opcode Fuzzy Hash: fd9f8d0c52774f667df52b75fb98f07c21b151d81889473e4a2811f48dc3a719
Instruction Fuzzy Hash: 940169365006049BDB208F66EC85B66FBA4EB04320F1884AAEE858A661D371A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 008FAD1E, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,?), ref: 008FAD56

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: f73cc42ed3d5d54694cf05195ad7ce8aa3835968829bac19d781addb55b50055
Instruction ID: 180099e84af38f1169634c2cff74f61c4a0717e8c8decbc9d07df0ac129eb133
Opcode Fuzzy Hash: f73cc42ed3d5d54694cf05195ad7ce8aa3835968829bac19d781addb55b50055
Instruction Fuzzy Hash: E2017C718042489FDB20DF65E885B65FBA4EF04321F18C4AADE498B616D275A408DB72

Uniqueness

Uniqueness Score: -1.00%

Function 008FADCE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008FAE00

Memory Dump Source

Source File: 00000008.00000002.267677856.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3f09e1f07460bafa1d025e43acc2cc9ddaf11b20cf266f0306b13e9b9dae3d32
Instruction ID: 86c3d2f57fca3bdc5a5ed45bf5272c13d4e4603ac4c69a3360ec5fcf4cef6250
Opcode Fuzzy Hash: 3f09e1f07460bafa1d025e43acc2cc9ddaf11b20cf266f0306b13e9b9dae3d32
Instruction Fuzzy Hash: 8EF0AF759043488FDB248F1AE885771FBA0EF04730F18C0EADE498B356D2B5A448CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 008F2477, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

1Fr<, xrefs: 008F24AC

Memory Dump Source

Source File: 00000008.00000002.267659422.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID: 1Fr<
API String ID: 0-799200857
Opcode ID: d2829ff7cd37372e235a6eaaf84414d08d711b44b7e77751bc959d0eabe57254
Instruction ID: 6ffd19bd24002d6ce13426adde3d14a47788c3390207f9d50b22dd1f76b140eb
Opcode Fuzzy Hash: d2829ff7cd37372e235a6eaaf84414d08d711b44b7e77751bc959d0eabe57254
Instruction Fuzzy Hash: 52716BA264E7DA4FCB038B3468641B47F71FB2732574A40EBC684CF0E3E254484A876A

Uniqueness

Uniqueness Score: -1.00%

Function 023B05D0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.268565110.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed52b66f5b79eb8db2a5f1cee9397f62c831bd73e48c882a5329affa3b268481
Instruction ID: fbf7150f876827d1ec545a75168161fce1b226bece81c5f7adc0f7b2508ee43b
Opcode Fuzzy Hash: ed52b66f5b79eb8db2a5f1cee9397f62c831bd73e48c882a5329affa3b268481
Instruction Fuzzy Hash: 490186B65097846FD7128F16EC51862FFB8DF86620709C4DFEC498F612D229A908CB76

Uniqueness

Uniqueness Score: -1.00%

Function 023B05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.268565110.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba8d7bdf87a0dace57c30d35277b6b98868f0f53d1cf5fa7427bad5ec06884a
Instruction ID: a9a1b29a195c4be5048ca87e2de76da54d115586a96a1042da6b31460735cc17
Opcode Fuzzy Hash: 2ba8d7bdf87a0dace57c30d35277b6b98868f0f53d1cf5fa7427bad5ec06884a
Instruction Fuzzy Hash: C2E06D76A006044BD750CF0AEC81466F798EB84630718C0BFDC0D8B700D235B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 008F23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.267659422.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de0a14159b09a7a88ac7562480504579247d6ebc0ef2455bccb62b0c7dbbb98
Instruction ID: 49e697b8e906c93190ddd140d94407abdcdbb8c4f02b2abdbeef093b6979720e
Opcode Fuzzy Hash: 9de0a14159b09a7a88ac7562480504579247d6ebc0ef2455bccb62b0c7dbbb98
Instruction Fuzzy Hash: 4FD05E79205A814FD327CA2CD1A8BA53B94FB61B04F4644FEE800CB663C3A8D981D610

Uniqueness

Uniqueness Score: -1.00%

Function 008F23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.267659422.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c34bf1722d8d72c9b0ad46983e5a320b22727686f19fe2dfde5c55c8c854d2c
Instruction ID: c17bedd7bb14441675bd13045861bbdf8d5e980c489f34d0ca03a90cff47a86e
Opcode Fuzzy Hash: 0c34bf1722d8d72c9b0ad46983e5a320b22727686f19fe2dfde5c55c8c854d2c
Instruction Fuzzy Hash: 30D017742006854BC725DA1CC194F6937D4BB81B00F0644E9AC008B362C7A8D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report kHCaZ06n23

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: RevengeRAT

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage