Windows Analysis Report
EZFN op cheats.exe

Overview

General Information

Sample name: EZFN op cheats.exe
Analysis ID: 1581174
MD5: ef4d8a6e9965bc6bb50cc1dfc5afde69
SHA1: 22dc66b0dec9e655fc049063eb9ed1ac40163d63
SHA256: fc0afaabeb1bec166e86302143e2ae0387142cc17df7a8980c8b7a9de43aad67
Tags: exeQuasarRATuser-lontze7
Infos:

Detection

Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Quasar RAT, QuasarRAT Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: EZFN op cheats.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Avira: detection malicious, Label: HEUR/AGEN.1307453
Found malware configuration
Source: EZFN op cheats.exe Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "192.168.137.1:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c9e46391-a513-481f-850c-0575d9434d9b", "StartupKey": "cheats", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "gmOxfyf+ykgHNniimpsMF6kft/g8eAy78kixuCAy3zuPFNdN3lcN+Zko9G4kbEghfHmT+IFJAXJ6Cz0VTTgAMdGphGF9Kk4hmi221QkSPZpnQuwiZb/vv57sAhIN4vZAW7v7v5H2VsSarV1sD9d4SYaUB+ahdWrfqnyfJv+vxbbFCzFedFlF3oZdSdmx4X79CjKYHlOx5Paf8fgVuLTjKC8vkkIb/h4RrdX9NfOwUrGdyVCoH25m7D/Qz1/LLvC4COhyXvYT0TfzpdVSWyKAO3UBJMAwRcHcfhahgV/dIhzro9yLA63HYSJjTyENl3rLyymBwbST/SYNMn3Uzn1sM+WVBtrTpjlf+bOJ8SHNWGRUxOJp5cF3q3rcq78HwJW1RM6saygoF2S0dTKzbnWpWach5xFEEMfBRHTR3rCjH2qnCiHfdjiMR3KbSHCtLojE/uoqrDqW2NlOt4vI2Ua7cZsIFkVAlo3UDCLZhSj0uIQtLsmIiUzh3Q77oal+iaxqVG8P9ucIyQeRhc64X26DpOdj9WTzVNibXA4d6Ki/HU8WG2bd7ZiQnQAVIxPX/+88UkPJIe/NuF9J2XkW4DIm3RwIOOczUE/WpFgDAx4LQgO96Ix/WwIKJ5PcZ2TtEuXeQEZaRfL+3z5ziAMzjj9OATPmlM3KIfnVDBN9pCRIoos=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAJH+yisawyH1t/3B1e4XQTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDcxNjAwMjAxN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAiz0zqpeUYmVtNdqPyjMMD9OQRh8tg1eeer/avPMzNJErdC00Qm+0F5jGOD5gJhXDk86aaVWdnd93uNreyxpI9nMQaW1Imv9RLLkQBijIVk2SWvPMsbYHmZzzJHZVdEmrOu3+VSgMJTARh8QqGvBOHEEGB2C+fwh+PKpFJuCQZRwuhPz4WYHVwCuWZN4+LXMvMkW+Efio8GSfq/6MzHzAWpeaoDrOEP92cbSP2T5xOgqAhxle7xjbI66pSJjNJE6uzCp+PKeth54hzXGIOUB4rEzoCTxcOWSyrXv0XHTU8KTH4EHjkwv3fYPULoR80X2aC3ns3s2dMaFw9SNasKeVFxHelRl8jEMOdPi8uo/taGh3jMQ0gn2lQfchJMbqCgQmykxZR28+a6M3dsSO1x0M1MkQHYT0CgRtLv2CC5IU9/OdwuBNucoa/iVbW3M0czHi36kqMvH/6c5+1eh1bcrLXl3p4glNXAs3wpdFlaNyQ0P92HmEzXYtX8a0oYPJvcJGbOjRTXvt1P8qPoPO6qlKHU2svCNVSouH0byQVj8X7aEcJLRuPGgMXN0My4OGJSDGfAARz/uATejNXMqqHVe5FIZ66jsJTXZNJ8pPBW0Ya2ehy4r++iFtmBZVt+SL1bC0UMeg0h4rLXB1jSVAHhzuFFMSnp+LLAIVpWQJ9wZ2ZGkCAwEAAaMyMDAwHQYDVR0OBBYEFF6jCGqE3WkSs35EnX7xuZ9CpfvfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADWbG8qxtK7gYvLxyj01Xq2Bmi/Yzyn0+03wrsZRjLceXHB7LOjC8bzuH8JDrFnX5+c6aouJkW9HoNfa6q0WPinvkeL/b0FjfgemoF4cbZmqPWtsuboBohaXn4jPUeTt9nKlQSX5G5eUvWF4Rbj67ToPZxqfFmKJJ5QC/2Zndd4sMk2D3uFmxWqVyLR+qB5ybjW+wEzW+9dlURJI0ezboPd+BWZcnHz2Ysc0DZzB5lwhjToto4IGgG3gPZH4rCOhjf3T7H+hi3hDckrEEqQ+Wc/CF9CbApI0jkrNCZeqA8gNqYiVzuYLnnVu51cKEBUz9VNRKoepmaLd7FmksvSZtAkk44brALBEwmeNDqRSqJMM9n2/Nvr6+hJ1wdz6e99d9RFEVOOm3I3F5MAfCe/mnmz+fYweI+OgbFcKnuXUUHcLlpIqw32Ppvn3aI+oEw8tBH/cJGml0ESIlu5341ArY+QOvhHRzW1ORYD3QrZODgYpB3b6PUQAMRnouIF6FtHBEmQHp4kzUVLbPvklbxkRBmze0JIwC0NdWcdFRgMXLixJk0AUzp0BOny3dY8TTS/TjUe7yrqt7CQrnhd/t47+ixoSbQCfdRpDx/ABWOLZBIDvX3FeFGKh7tNyJsjgm3HBQxxs3XLNvnmAn2kxC4mhYwDKYsVgDQD4m1Gp7Uqdy+Xn"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe ReversingLabs: Detection: 76%
Multi AV Scanner detection for submitted file
Source: EZFN op cheats.exe ReversingLabs: Detection: 76%
Source: EZFN op cheats.exe Virustotal: Detection: 85% Perma Link
Yara detected Quasar RAT
Source: Yara match File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: EZFN op cheats.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: EZFN op cheats.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: EZFN op cheats.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 192.168.137.1
Yara detected Generic Downloader
Source: Yara match File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: EZFN op cheats.exe, 00000000.00000002.1689444295.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000003.00000002.4120119667.0000000003419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EZFN op cheats.exe, Client.exe.0.dr String found in binary or memory: https://api.ipify.org/
Source: EZFN op cheats.exe, Client.exe.0.dr String found in binary or memory: https://ipwho.is/
Source: EZFN op cheats.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: EZFN op cheats.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: EZFN op cheats.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe Jump to behavior

E-Banking Fraud
barindex
Yara detected Quasar RAT
Source: Yara match File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: EZFN op cheats.exe, type: SAMPLE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: EZFN op cheats.exe, type: SAMPLE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: EZFN op cheats.exe, type: SAMPLE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: Detects Quasar infostealer Author: ditekshen
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9BA6AFDD 3_2_00007FFD9BA6AFDD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9BA69BD1 3_2_00007FFD9BA69BD1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9BA69271 3_2_00007FFD9BA69271
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9BA655D6 3_2_00007FFD9BA655D6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9BA6621F 3_2_00007FFD9BA6621F
Sample file is different than original file name gathered from version info
Source: EZFN op cheats.exe, 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClient.exe. vs EZFN op cheats.exe
Source: EZFN op cheats.exe Binary or memory string: OriginalFilenameClient.exe. vs EZFN op cheats.exe
Uses 32bit PE files
Source: EZFN op cheats.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: EZFN op cheats.exe, type: SAMPLE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: EZFN op cheats.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: EZFN op cheats.exe, type: SAMPLE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/3@0/1
Source: C:\Users\user\Desktop\EZFN op cheats.exe File created: C:\Users\user\AppData\Roaming\SubDir Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\c9e46391-a513-481f-850c-0575d9434d9b
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_03
Source: EZFN op cheats.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EZFN op cheats.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\EZFN op cheats.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: EZFN op cheats.exe ReversingLabs: Detection: 76%
Source: EZFN op cheats.exe Virustotal: Detection: 85%
Source: EZFN op cheats.exe String found in binary or memory: HasSubValue3Conflicting item/add type
Source: C:\Users\user\Desktop\EZFN op cheats.exe File read: C:\Users\user\Desktop\EZFN op cheats.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\EZFN op cheats.exe "C:\Users\user\Desktop\EZFN op cheats.exe"
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: EZFN op cheats.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: EZFN op cheats.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: EZFN op cheats.exe Static file information: File size 3265536 > 1048576
Source: EZFN op cheats.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400
Source: EZFN op cheats.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\EZFN op cheats.exe Code function: 0_2_00007FFD9B7D00AD pushad ; iretd 0_2_00007FFD9B7D00C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9B7F2BE5 pushad ; iretd 3_2_00007FFD9B7F2C3D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9B7F2BB0 pushad ; iretd 3_2_00007FFD9B7F2C3D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9B7F00AD pushad ; iretd 3_2_00007FFD9B7F00C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9BA6336E push eax; ret 3_2_00007FFD9BA6340C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 4_2_00007FFD9B7F00AD pushad ; iretd 4_2_00007FFD9B7F00C1
Drops PE files
Source: C:\Users\user\Desktop\EZFN op cheats.exe File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\EZFN op cheats.exe File opened: C:\Users\user\Desktop\EZFN op cheats.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\EZFN op cheats.exe Memory allocated: DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Memory allocated: 1A870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1B3E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1AD90000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 3_2_00007FFD9B7FF1F2 str ax 3_2_00007FFD9B7FF1F2
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\EZFN op cheats.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Window / User API: threadDelayed 1438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Window / User API: threadDelayed 8387 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\EZFN op cheats.exe TID: 7152 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 4092 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1740 Thread sleep count: 1438 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1740 Thread sleep count: 8387 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 4092 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\EZFN op cheats.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Client.exe, 00000003.00000002.4126084722.000000001BFF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "cheats" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\EZFN op cheats.exe Queries volume information: C:\Users\user\Desktop\EZFN op cheats.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\EZFN op cheats.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Quasar RAT
Source: Yara match File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Quasar RAT
Source: Yara match File source: EZFN op cheats.exe, type: SAMPLE
Source: Yara match File source: 0.0.EZFN op cheats.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1662526352.0000000000690000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1662190614.0000000000372000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EZFN op cheats.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1612, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581174 Sample: EZFN op cheats.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 7 other signatures 2->38 8 EZFN op cheats.exe 5 2->8         started        12 Client.exe 3 2->12         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 8->26 dropped 28 C:\Users\user\...ZFN op cheats.exe.log, CSV 8->28 dropped 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->40 14 Client.exe 2 8->14         started        18 schtasks.exe 1 8->18         started        signatures5 process6 dnsIp7 30 192.168.137.1, 4782, 49730, 49737 unknown unknown 14->30 42 Antivirus detection for dropped file 14->42 44 Multi AV Scanner detection for dropped file 14->44 46 Machine Learning detection for dropped file 14->46 48 2 other signatures 14->48 20 schtasks.exe 1 14->20         started        22 conhost.exe 18->22         started        signatures8 process9 process10 24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.137.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
192.168.137.1 true
  • Avira URL Cloud: safe
 unknown