Windows Analysis Report
7yJsmmW4wS.exe

Overview

General Information

Sample name: 7yJsmmW4wS.exe
renamed because original name is a hash value
Original sample name: 4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe
Analysis ID: 1532626
MD5: 3dcc9cfed0a716b6ad3c4f4aaf1a1f46
SHA1: e512e9a92247439ca3bbb8e412ec46f191025b41
SHA256: 4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2
Tags: exeuser-Chainskilabs
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 7yJsmmW4wS.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\edge.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Local\Temp\rat.exe Avira: detection malicious, Label: HEUR/AGEN.1305769
Found malware configuration
Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["authors-reflections.gl.at.ply.gg"], "Port": "19578", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Temp\rat.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\rat.exe Virustotal: Detection: 72% Perma Link
Source: C:\Users\user\AppData\Roaming\edge.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\edge.exe Virustotal: Detection: 72% Perma Link
Multi AV Scanner detection for submitted file
Source: 7yJsmmW4wS.exe Virustotal: Detection: 54% Perma Link
Source: 7yJsmmW4wS.exe ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\edge.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\rat.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 7yJsmmW4wS.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 8.0.rat.exe.370000.0.unpack String decryptor: authors-reflections.gl.at.ply.gg
Source: 8.0.rat.exe.370000.0.unpack String decryptor: 19578
Source: 8.0.rat.exe.370000.0.unpack String decryptor: <123456789>
Source: 8.0.rat.exe.370000.0.unpack String decryptor: <Xwormmm>
Source: 8.0.rat.exe.370000.0.unpack String decryptor: XWorm V5.6
Source: 8.0.rat.exe.370000.0.unpack String decryptor: USB.exe
Source: 8.0.rat.exe.370000.0.unpack String decryptor: %AppData%
Source: 8.0.rat.exe.370000.0.unpack String decryptor: edge.exe
Uses 32bit PE files
Source: 7yJsmmW4wS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7yJsmmW4wS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\AsUpIO20111020\20111020\objfre_wnet_AMD64\amd64\AsUpIO.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: .pdb.dbg source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdbmm/GCTL source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\kenneth\Downloads\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: dbghelp.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: dbghelp.pdbGCTL source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7953992B4 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 9_2_00007FF7953992B4
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF795399210 FindClose,abort,FindFirstFileExW,GetLastError, 9_2_00007FF795399210

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49977 -> 147.185.221.23:19578
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49979 -> 147.185.221.23:19578
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: authors-reflections.gl.at.ply.gg
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.185.221.23 ports 19578,1,5,7,8,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49700 -> 147.185.221.23:19578
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.185.221.23 147.185.221.23
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: authors-reflections.gl.at.ply.gg
Source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: rat.exe, 00000008.00000002.3717163305.00000000024C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: freeware.exe, 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: freeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.dr String found in binary or memory: http://www.urwpp.com
Source: freeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.dr String found in binary or memory: http://www.urwpp.de
Source: freeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.dr String found in binary or memory: http://www.urwpp.dehttp://www.urwpp.dehttp://www.urwpp.comhttp://www.urwpp.comNimbus
Source: freeware.exe.0.dr String found in binary or memory: https://github.com/googlefonts/lexend)6_ju
Source: freeware.exe.0.dr String found in binary or memory: https://scripts.sil.org/OFLThis
Source: freeware.exe.0.dr String found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B9D64 _beginthreadex,_Mtx_lock,_Mtx_unlock,GetAsyncKeyState,GetAsyncKeyState,terminate,_invalid_parameter_noinfo_noreturn,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z, 9_2_00007FF7952B9D64

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B6A08 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,_stricmp,getenv,memchr,LoadLibraryExA,VirtualFree,_invalid_parameter_noinfo_noreturn,VirtualFree,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 9_2_00007FF7952B6A08
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B7228: LoadLibraryExA,_beginthreadex,terminate,?_Throw_Cpp_error@std@@YAXH@Z,_Thrd_id,_Thrd_join,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,memcmp,GetModuleHandleA,GetCurrentProcessId,memcmp,GetModuleHandleA,GetCurrentProcessId,DeviceIoControl,memcmp,GetModuleHandleA,GetCurrentProcessId,DeviceIoControl, 9_2_00007FF7952B7228
Detected potential crypto function
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Code function: 0_2_00007FFAACCE0A21 0_2_00007FFAACCE0A21
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE2719 8_2_00007FFAACCE2719
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE1289 8_2_00007FFAACCE1289
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE8A66 8_2_00007FFAACCE8A66
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE9812 8_2_00007FFAACCE9812
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE0E33 8_2_00007FFAACCE0E33
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE3769 8_2_00007FFAACCE3769
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE1BC5 8_2_00007FFAACCE1BC5
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B7228 9_2_00007FF7952B7228
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952D225C 9_2_00007FF7952D225C
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B5E5C 9_2_00007FF7952B5E5C
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952CF2D5 9_2_00007FF7952CF2D5
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7953992B4 9_2_00007FF7953992B4
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B2980 9_2_00007FF7952B2980
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952D11BC 9_2_00007FF7952D11BC
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952BC214 9_2_00007FF7952BC214
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B6A08 9_2_00007FF7952B6A08
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952C2E0C 9_2_00007FF7952C2E0C
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952CA5D8 9_2_00007FF7952CA5D8
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952C7CC0 9_2_00007FF7952C7CC0
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952B90B0 9_2_00007FF7952B90B0
Source: C:\Users\user\AppData\Roaming\edge.exe Code function: 14_2_00007FFAACCE1289 14_2_00007FFAACCE1289
Source: C:\Users\user\AppData\Roaming\edge.exe Code function: 14_2_00007FFAACCE1BC5 14_2_00007FFAACCE1BC5
Source: C:\Users\user\AppData\Roaming\edge.exe Code function: 16_2_00007FFAACCD1289 16_2_00007FFAACCD1289
Source: C:\Users\user\AppData\Roaming\edge.exe Code function: 16_2_00007FFAACCD1BC5 16_2_00007FFAACCD1BC5
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: String function: 00007FF7952B3EBC appears 58 times
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: String function: 00007FF7952D2F28 appears 109 times
Sample file is different than original file name gathered from version info
Source: 7yJsmmW4wS.exe, 00000000.00000000.1255644971.0000000001038000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefreeware.exe4 vs 7yJsmmW4wS.exe
Source: 7yJsmmW4wS.exe, 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerat.exe4 vs 7yJsmmW4wS.exe
Source: 7yJsmmW4wS.exe Binary or memory string: OriginalFilenamefreeware.exe4 vs 7yJsmmW4wS.exe
Uses 32bit PE files
Source: 7yJsmmW4wS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7yJsmmW4wS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rat.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: rat.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: rat.exe.0.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: edge.exe.8.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: edge.exe.8.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: edge.exe.8.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: rat.exe.0.dr, Settings.cs Base64 encoded string: 'mZ5PY82JATlZAMnr4kQ0nx73VB3LsOpdxE3BVduerFREmaiVDQ+JeiNHpLtTHU1m'
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Settings.cs Base64 encoded string: 'mZ5PY82JATlZAMnr4kQ0nx73VB3LsOpdxE3BVduerFREmaiVDQ+JeiNHpLtTHU1m'
Source: edge.exe.8.dr, Settings.cs Base64 encoded string: 'mZ5PY82JATlZAMnr4kQ0nx73VB3LsOpdxE3BVduerFREmaiVDQ+JeiNHpLtTHU1m'
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: rat.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: rat.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: edge.exe.8.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: edge.exe.8.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: freeware.exe.0.dr Binary string: \Device\PhysicalMemory
Source: freeware.exe.0.dr Binary string: \Device\AsUpdateio
Source: freeware.exe.0.dr Binary string: \Device\crazyape776
Source: classification engine Classification label: mal100.troj.evad.winEXE@13/6@1/1
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952BB728 CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,CloseHandle,CloseHandle, 9_2_00007FF7952BB728
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7yJsmmW4wS.exe.log Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Mutant created: \Sessions\1\BaseNamedObjects\DfSwcy0uKBIsveTI1
Source: C:\Users\user\AppData\Roaming\edge.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\rat.exe Mutant created: \Sessions\1\BaseNamedObjects\QxbISg5F4EKZB8tq
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe File created: C:\Users\user\AppData\Local\Temp\rat.exe Jump to behavior
Source: 7yJsmmW4wS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7yJsmmW4wS.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7yJsmmW4wS.exe Virustotal: Detection: 54%
Source: 7yJsmmW4wS.exe ReversingLabs: Detection: 73%
Source: unknown Process created: C:\Users\user\Desktop\7yJsmmW4wS.exe "C:\Users\user\Desktop\7yJsmmW4wS.exe"
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process created: C:\Users\user\AppData\Local\Temp\rat.exe "C:\Users\user~1\AppData\Local\Temp\rat.exe"
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process created: C:\Users\user\AppData\Local\Temp\freeware.exe "C:\Users\user~1\AppData\Local\Temp\freeware.exe"
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\edge.exe C:\Users\user\AppData\Roaming\edge.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\edge.exe C:\Users\user\AppData\Roaming\edge.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\edge.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\edge.exe
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process created: C:\Users\user\AppData\Local\Temp\rat.exe "C:\Users\user~1\AppData\Local\Temp\rat.exe" Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process created: C:\Users\user\AppData\Local\Temp\freeware.exe "C:\Users\user~1\AppData\Local\Temp\freeware.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe" Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: d3dcompiler_43.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: d3dx11_43.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: edge.lnk.8.dr LNK file: ..\..\..\..\..\edge.exe
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 7yJsmmW4wS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 7yJsmmW4wS.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 7yJsmmW4wS.exe Static file information: File size 1464320 > 1048576
Source: 7yJsmmW4wS.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x164e00
Source: 7yJsmmW4wS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\AsUpIO20111020\20111020\objfre_wnet_AMD64\amd64\AsUpIO.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Unable to locate the .pdb file in this location source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: The module signature does not match with .pdb signature. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: .pdb.dbg source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdbmm/GCTL source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: or you do not have access permission to the .pdb location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\kenneth\Downloads\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: dbghelp.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
Source: Binary string: dbghelp.pdbGCTL source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: rat.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: rat.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: edge.exe.8.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: edge.exe.8.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: rat.exe.0.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: rat.exe.0.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: rat.exe.0.dr, Messages.cs .Net Code: Memory
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs .Net Code: Memory
Source: edge.exe.8.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: edge.exe.8.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: edge.exe.8.dr, Messages.cs .Net Code: Memory
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Code function: 0_2_00007FFAACCE00BD pushad ; iretd 0_2_00007FFAACCE00C1
Source: C:\Users\user\AppData\Local\Temp\rat.exe Code function: 8_2_00007FFAACCE00BD pushad ; iretd 8_2_00007FFAACCE00C1
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952CE535 push rbp; iretd 9_2_00007FF7952CE536
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952BE08D push rdi; ret 9_2_00007FF7952BE08E
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952BBF34 push rbp; iretd 9_2_00007FF7952BBF35
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7952BBFE6 push rbp; iretd 9_2_00007FF7952BBFE7
Source: C:\Users\user\AppData\Roaming\edge.exe Code function: 14_2_00007FFAACCE00BD pushad ; iretd 14_2_00007FFAACCE00C1
Source: C:\Users\user\AppData\Roaming\edge.exe Code function: 16_2_00007FFAACCD00BD pushad ; iretd 16_2_00007FFAACCD00C1
Source: 7yJsmmW4wS.exe Static PE information: section name: .text entropy: 7.998334006790471
Drops PE files
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe File created: C:\Users\user\AppData\Local\Temp\freeware.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rat.exe File created: C:\Users\user\AppData\Roaming\edge.exe Jump to dropped file
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe File created: C:\Users\user\AppData\Local\Temp\rat.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe"
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\rat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\rat.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run edge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run edge Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Memory allocated: 1870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Memory allocated: 1B270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Memory allocated: BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Memory allocated: 1A4C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: 1430000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: 1B120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: 1A910000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: 1690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: 1B060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: 13C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Memory allocated: 1AE80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\rat.exe Window / User API: threadDelayed 2396 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Window / User API: threadDelayed 7431 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe TID: 6704 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe TID: 7444 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe TID: 7492 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe TID: 7764 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe TID: 8072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe TID: 7364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF7953992B4 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 9_2_00007FF7953992B4
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF795399210 FindClose,abort,FindFirstFileExW,GetLastError, 9_2_00007FF795399210
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: rat.exe, 00000008.00000002.3719816331.000000001B410000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWnStr%SystemRoot%\system32\mswsock.dllem.Web.Security.SqlRoleProvider, Sys

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Roaming\edge.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe System information queried: CodeIntegrityInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF795398080 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00007FF795398080
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process created: C:\Users\user\AppData\Local\Temp\rat.exe "C:\Users\user~1\AppData\Local\Temp\rat.exe" Jump to behavior
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Process created: C:\Users\user\AppData\Local\Temp\freeware.exe "C:\Users\user~1\AppData\Local\Temp\freeware.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: GetLocaleInfoEx,FormatMessageA, 9_2_00007FF795398D90
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Queries volume information: C:\Users\user\Desktop\7yJsmmW4wS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\rat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rat.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Queries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Queries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Queries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\edge.exe Queries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\freeware.exe Code function: 9_2_00007FF795398C10 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 9_2_00007FF795398C10
Source: C:\Users\user\Desktop\7yJsmmW4wS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: rat.exe, 00000008.00000002.3719816331.000000001B4F1000.00000004.00000020.00020000.00000000.sdmp, rat.exe, 00000008.00000002.3719816331.000000001B4AE000.00000004.00000020.00020000.00000000.sdmp, rat.exe, 00000008.00000002.3715723586.0000000000869000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\rat.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7yJsmmW4wS.exe PID: 2548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rat.exe PID: 1240, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7yJsmmW4wS.exe PID: 2548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rat.exe PID: 1240, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532626 Sample: 7yJsmmW4wS.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 40 authors-reflections.gl.at.ply.gg 2->40 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 10 other signatures 2->50 9 7yJsmmW4wS.exe 4 2->9         started        12 edge.exe 1 2->12         started        15 edge.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\rat.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\freeware.exe, PE32+ 9->36 dropped 38 C:\Users\user\AppData\...\7yJsmmW4wS.exe.log, CSV 9->38 dropped 19 rat.exe 1 5 9->19         started        24 freeware.exe 1 9->24         started        60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->66 signatures6 process7 dnsIp8 42 authors-reflections.gl.at.ply.gg 147.185.221.23, 19578, 49700, 49839 SALSGIVERUS United States 19->42 32 C:\Users\user\AppData\Roaming\edge.exe, PE32 19->32 dropped 52 Antivirus detection for dropped file 19->52 54 Multi AV Scanner detection for dropped file 19->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->56 58 3 other signatures 19->58 26 schtasks.exe 1 19->26         started        28 conhost.exe 24->28         started        file9 signatures10 process11 process12 30 conhost.exe 26->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.185.221.23
 authors-reflections.gl.at.ply.gg United States
12087 SALSGIVERUS true

Contacted Domains

Name IP Active
authors-reflections.gl.at.ply.gg 147.185.221.23 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
authors-reflections.gl.at.ply.gg true unknown