Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1544033
MD5: f01ed03b7a786c24ebd92eab9b441b9d
SHA1: 891c8ef7b9ef32e9d4de3ee473186cd4ba66059f
SHA256: 6dc5fcbd3d05cb11dc4731aea996c7cbc213253c4d4b119799c5ddedebe537fb
Tags: exeuser-Bitsight
Infos:

Detection

DarkVision Rat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Potentially malicious time measurement code found
Switches to a custom stack to bypass stack traces
Uses dynamic DNS services
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found evasive API chain (may stop execution after accessing registry keys)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe ReversingLabs: Detection: 15%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A23100 LoadLibraryExW, 0_2_00A23100
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AD3100 LoadLibraryExW, 2_2_00AD3100
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AD3100 LoadLibraryExW, 5_2_00AD3100
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp rdx, 40h 0_2_00A103B1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp rdx, 40h 0_2_00A103C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then shr r10, 0Dh 0_2_00A1B5E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then shr r10, 0Dh 0_2_00A1CA60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then lock or byte ptr [rdx], dil 0_2_00A10B00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp rdx, rbx 0_2_009FBEA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then cmp rdx, 40h 2_2_00AC03B1
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then cmp rdx, 40h 2_2_00AC03C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then shr r10, 0Dh 2_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then shr r10, 0Dh 2_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then lock or byte ptr [rdx], dil 2_2_00AC0B00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then cmp rdx, rbx 2_2_00AABEA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then cmp rdx, 40h 5_2_00AC03B1
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then cmp rdx, 40h 5_2_00AC03C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then shr r10, 0Dh 5_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then shr r10, 0Dh 5_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then lock or byte ptr [rdx], dil 5_2_00AC0B00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4x nop then cmp rdx, rbx 5_2_00AABEA0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49708 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49705 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49710 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49717 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49726 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:49705 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49735 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49940 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49932 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49918 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49924 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49908 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49948 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49742 -> 178.215.224.241:5589
Source: Network traffic Suricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:49908 -> 178.215.224.241:5589
Uses dynamic DNS services
Source: unknown DNS query: name: fishcrabs99.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49705 -> 178.215.224.241:5589
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1C1B70 recv, 2_2_000002667B1C1B70
Source: global traffic DNS traffic detected: DNS query: fishcrabs99.ddns.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2434983215.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000002.00000002.3409842091.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2349782661.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2177332111.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B278C80808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_000001B278C80808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00000266799F0808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 2_2_00000266799F0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E54C0808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 4_2_00000261E54C0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F784D0808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 5_2_0000018F784D0808
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F2020 0_2_009F2020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A25320 0_2_00A25320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FD960 0_2_009FD960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A18AC0 0_2_00A18AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2EA00 0_2_00A2EA00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A17CC0 0_2_00A17CC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A35D80 0_2_00A35D80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FCDC0 0_2_009FCDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A05E80 0_2_00A05E80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A281A0 0_2_00A281A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A3F160 0_2_00A3F160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0E140 0_2_00A0E140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A40380 0_2_00A40380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A64320 0_2_00A64320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2F480 0_2_00A2F480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0A420 0_2_00A0A420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1B5E0 0_2_00A1B5E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A155C0 0_2_00A155C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FE520 0_2_009FE520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2C6E0 0_2_00A2C6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A536E9 0_2_00A536E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A12660 0_2_00A12660
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A30640 0_2_00A30640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F3980 0_2_009F3980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1F9E0 0_2_00A1F9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A289E0 0_2_00A289E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A0A940 0_2_00A0A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1BAA0 0_2_00A1BAA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A04A80 0_2_00A04A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A16A00 0_2_00A16A00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1CA60 0_2_00A1CA60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A64B40 0_2_00A64B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1EC60 0_2_00A1EC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A10D80 0_2_00A10D80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2BD80 0_2_00A2BD80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A4AD20 0_2_00A4AD20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A09D60 0_2_00A09D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1DE40 0_2_00A1DE40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A3BE40 0_2_00A3BE40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F9F80 0_2_009F9F80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A08FC0 0_2_00A08FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B278C80808 0_2_000001B278C80808
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B278C7FFFC 0_2_000001B278C7FFFC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B278C803D8 0_2_000001B278C803D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B278C83AB4 0_2_000001B278C83AB4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B278C7F120 0_2_000001B278C7F120
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B278C812BC 0_2_000001B278C812BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4CF1A0 0_2_000001B27A4CF1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4C1000 0_2_000001B27A4C1000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4D2EF0 0_2_000001B27A4D2EF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4CE700 0_2_000001B27A4CE700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4D03A0 0_2_000001B27A4D03A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4DACD0 0_2_000001B27A4DACD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4DAD51 0_2_000001B27A4DAD51
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4C7D70 0_2_000001B27A4C7D70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4E4520 0_2_000001B27A4E4520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4E0A10 0_2_000001B27A4E0A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4D4AC0 0_2_000001B27A4D4AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4D92E0 0_2_000001B27A4D92E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4E0A86 0_2_000001B27A4E0A86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4D8AA0 0_2_000001B27A4D8AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4D82B0 0_2_000001B27A4D82B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4CB340 0_2_000001B27A4CB340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4E8370 0_2_000001B27A4E8370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4EDFC4 0_2_000001B27A4EDFC4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4ED01C 0_2_000001B27A4ED01C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4EB030 0_2_000001B27A4EB030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001B27A4DB880 0_2_000001B27A4DB880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AA2020 2_2_00AA2020
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AD5320 2_2_00AD5320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AAD960 2_2_00AAD960
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AC8AC0 2_2_00AC8AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ADEA00 2_2_00ADEA00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AC7CC0 2_2_00AC7CC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AE5D80 2_2_00AE5D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AACDC0 2_2_00AACDC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AB5E80 2_2_00AB5E80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AD81A0 2_2_00AD81A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AEF160 2_2_00AEF160
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ABE140 2_2_00ABE140
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AF0380 2_2_00AF0380
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00B14320 2_2_00B14320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ADF480 2_2_00ADF480
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ABA420 2_2_00ABA420
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ACB5E0 2_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AC55C0 2_2_00AC55C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AAE520 2_2_00AAE520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ADC6E0 2_2_00ADC6E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00B036E9 2_2_00B036E9
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AC2660 2_2_00AC2660
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AE0640 2_2_00AE0640
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AA3980 2_2_00AA3980
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ACF9E0 2_2_00ACF9E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AD89E0 2_2_00AD89E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ABA940 2_2_00ABA940
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ACBAA0 2_2_00ACBAA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AB4A80 2_2_00AB4A80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AC6A00 2_2_00AC6A00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ACCA60 2_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00B14B40 2_2_00B14B40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ACEC60 2_2_00ACEC60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AC0D80 2_2_00AC0D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ADBD80 2_2_00ADBD80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AFAD20 2_2_00AFAD20
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AB9D60 2_2_00AB9D60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00ACDE40 2_2_00ACDE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AEBE40 2_2_00AEBE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AA9F80 2_2_00AA9F80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00AB8FC0 2_2_00AB8FC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00000266799EFFFC 2_2_00000266799EFFFC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00000266799F0808 2_2_00000266799F0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00000266799EF120 2_2_00000266799EF120
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00000266799F12BC 2_2_00000266799F12BC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00000266799F03D8 2_2_00000266799F03D8
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00000266799F3AB4 2_2_00000266799F3AB4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1AF1A0 2_2_000002667B1AF1A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1A1000 2_2_000002667B1A1000
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1C4520 2_2_000002667B1C4520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1C0A10 2_2_000002667B1C0A10
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1CDFC4 2_2_000002667B1CDFC4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1CD01C 2_2_000002667B1CD01C
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1CB030 2_2_000002667B1CB030
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1BB880 2_2_000002667B1BB880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1AE700 2_2_000002667B1AE700
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1B2EF0 2_2_000002667B1B2EF0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1C0E60 2_2_000002667B1C0E60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1BACD0 2_2_000002667B1BACD0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1BAD51 2_2_000002667B1BAD51
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1A7D70 2_2_000002667B1A7D70
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1B4AC0 2_2_000002667B1B4AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1B82B0 2_2_000002667B1B82B0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1B92E0 2_2_000002667B1B92E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1AB340 2_2_000002667B1AB340
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1C8370 2_2_000002667B1C8370
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1B03A0 2_2_000002667B1B03A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1B8AA0 2_2_000002667B1B8AA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1C0A86 2_2_000002667B1C0A86
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E54C0808 4_2_00000261E54C0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E54BFFFC 4_2_00000261E54BFFFC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E54C12BC 4_2_00000261E54C12BC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E54C3AB4 4_2_00000261E54C3AB4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E54BF120 4_2_00000261E54BF120
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E54C03D8 4_2_00000261E54C03D8
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CEF1A0 4_2_00000261E6CEF1A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CE1000 4_2_00000261E6CE1000
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6D04520 4_2_00000261E6D04520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CFACD0 4_2_00000261E6CFACD0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CFB880 4_2_00000261E6CFB880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6D00A10 4_2_00000261E6D00A10
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CFAD51 4_2_00000261E6CFAD51
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CE7D70 4_2_00000261E6CE7D70
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CEB340 4_2_00000261E6CEB340
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CF92E0 4_2_00000261E6CF92E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CF2EF0 4_2_00000261E6CF2EF0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CEE700 4_2_00000261E6CEE700
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CF8AA0 4_2_00000261E6CF8AA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6D00A86 4_2_00000261E6D00A86
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CF82B0 4_2_00000261E6CF82B0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CF4AC0 4_2_00000261E6CF4AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6D0D01C 4_2_00000261E6D0D01C
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6D0B030 4_2_00000261E6D0B030
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6D0DFC4 4_2_00000261E6D0DFC4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6CF03A0 4_2_00000261E6CF03A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 4_2_00000261E6D08370 4_2_00000261E6D08370
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AA2020 5_2_00AA2020
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AD5320 5_2_00AD5320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AAD960 5_2_00AAD960
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AC8AC0 5_2_00AC8AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ADEA00 5_2_00ADEA00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AC7CC0 5_2_00AC7CC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AE5D80 5_2_00AE5D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AACDC0 5_2_00AACDC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AB5E80 5_2_00AB5E80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AD81A0 5_2_00AD81A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AEF160 5_2_00AEF160
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ABE140 5_2_00ABE140
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AF0380 5_2_00AF0380
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00B14320 5_2_00B14320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ADF480 5_2_00ADF480
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ABA420 5_2_00ABA420
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ACB5E0 5_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AC55C0 5_2_00AC55C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AAE520 5_2_00AAE520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ADC6E0 5_2_00ADC6E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00B036E9 5_2_00B036E9
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AC2660 5_2_00AC2660
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AE0640 5_2_00AE0640
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AA3980 5_2_00AA3980
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ACF9E0 5_2_00ACF9E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AD89E0 5_2_00AD89E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ABA940 5_2_00ABA940
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ACBAA0 5_2_00ACBAA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AB4A80 5_2_00AB4A80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AC6A00 5_2_00AC6A00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ACCA60 5_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00B14B40 5_2_00B14B40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ACEC60 5_2_00ACEC60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AC0D80 5_2_00AC0D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ADBD80 5_2_00ADBD80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AFAD20 5_2_00AFAD20
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AB9D60 5_2_00AB9D60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00ACDE40 5_2_00ACDE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AEBE40 5_2_00AEBE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AA9F80 5_2_00AA9F80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00AB8FC0 5_2_00AB8FC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F784D0808 5_2_0000018F784D0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F784CFFFC 5_2_0000018F784CFFFC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F784D3AB4 5_2_0000018F784D3AB4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F784CF120 5_2_0000018F784CF120
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F784D12BC 5_2_0000018F784D12BC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F784D03D8 5_2_0000018F784D03D8
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79CFF1A0 5_2_0000018F79CFF1A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79CF1000 5_2_0000018F79CF1000
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D0B880 5_2_0000018F79D0B880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D1B030 5_2_0000018F79D1B030
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D1D01C 5_2_0000018F79D1D01C
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D1DFC4 5_2_0000018F79D1DFC4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D18370 5_2_0000018F79D18370
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D003A0 5_2_0000018F79D003A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79CFB340 5_2_0000018F79CFB340
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D04AC0 5_2_0000018F79D04AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D082B0 5_2_0000018F79D082B0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D092E0 5_2_0000018F79D092E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D10A86 5_2_0000018F79D10A86
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D08AA0 5_2_0000018F79D08AA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D10A10 5_2_0000018F79D10A10
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79CF7D70 5_2_0000018F79CF7D70
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D0AD51 5_2_0000018F79D0AD51
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D14520 5_2_0000018F79D14520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D0ACD0 5_2_0000018F79D0ACD0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79CFE700 5_2_0000018F79CFE700
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_0000018F79D02EF0 5_2_0000018F79D02EF0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: String function: 00AD8F00 appears 176 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: String function: 00AD9720 appears 1386 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: String function: 00AEFC60 appears 38 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: String function: 00AD7400 appears 1016 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: String function: 00AEFBA0 appears 32 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: String function: 00AEFB00 appears 32 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: String function: 00AD74E0 appears 52 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A27400 appears 508 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A28F00 appears 88 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A29720 appears 693 times
Yara signature match
Source: 00000005.00000002.2434983215.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000002.00000002.3409842091.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2349782661.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2177332111.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.evad.mine.winEXE@5/1@2/1
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Edge\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Mutant created: \Sessions\1\BaseNamedObjects\{F8DE3DC4-75BA-41B5-AAA0-72BEB2254E92}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Mutant created: \Sessions\1\BaseNamedObjects\{201D2E18-90F7-4B7A-B82B-6FF56BC5C891}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Mutant created: \Sessions\1\BaseNamedObjects\{D2F471D6-04FC-452D-BFE5-E6CA5D7676C4}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Mutant created: \Sessions\1\BaseNamedObjects\{9559844D-7F94-49DE-971B-013ECDA3550E}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Mutant created: \Sessions\1\BaseNamedObjects\{2BCF8665-0CFD-491A-9C88-1B848948EC08}
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\system32\1540f5beb3236a6a3ae461a727ff5cab6cda68073f5022edeecd799d7b90531dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe File opened: C:\Windows\system32\cd7370b541f81c6e63571b7c4178dc3fd003c0098fefb3d855eb17b20e3164bcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe File opened: C:\Windows\system32\0ddda059f12607f1fa5eb7d94f3736249f72f462429f6c2bfd59b67060fe32f1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe File opened: C:\Windows\system32\e4b43d036c60d98b37efca81f08fd9a3fa61ae198d475cb67cccfb92dddf7fc8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 15%
Source: file.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: file.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: file.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: file.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: file.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: file.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: file.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: file.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: file.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: file.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: file.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: file.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: file.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: file.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: file.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: file.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: file.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: file.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: file.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: file.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: file.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: file.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: file.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: file.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: file.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: file.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: file.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: file.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: file.exe String found in binary or memory: unsafe.String: len out of rangeCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailW11368683772161602973937988281255684341886080801486968994140625resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connectionGetVolumePathNamesForVolumeNameWfail to seek to string table: %vfail to seek to symbol table: %v28421709430404007434844970703125crypto/aes: input not full block" not supported for cpu option "too many levels of symbolic linksInitializeProcThreadAttributeListreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangebytes.Reader.Seek: invalid whenceskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangewaiting for unsupported file typeCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWfail to read relocation block: %v142108547152020037174224853515625710542735760100185871124267578125crypto/aes: output not full blockGODEBUG: no value specified for "leafCounts[maxBits][maxBits] != ntoo many references: cannot spliceSetFileCompletionNotificationModesreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeillegal
Source: file.exe String found in binary or memory: unsafe.String: len out of rangeCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailW11368683772161602973937988281255684341886080801486968994140625resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connectionGetVolumePathNamesForVolumeNameWfail to seek to string table: %vfail to seek to symbol table: %v28421709430404007434844970703125crypto/aes: input not full block" not supported for cpu option "too many levels of symbolic linksInitializeProcThreadAttributeListreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangebytes.Reader.Seek: invalid whenceskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangewaiting for unsupported file typeCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWfail to read relocation block: %v142108547152020037174224853515625710542735760100185871124267578125crypto/aes: output not full blockGODEBUG: no value specified for "leafCounts[maxBits][maxBits] != ntoo many references: cannot spliceSetFileCompletionNotificationModesreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeillegal
Source: file.exe String found in binary or memory: net/addrselect.go
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320}
Source: unknown Process created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}
Source: unknown Process created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320} Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Section loaded: sspicli.dll Jump to behavior
Source: file.exe Static file information: File size 2482176 > 1048576
Source: file.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x175000
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .xdata
Source: file.exe Static PE information: section name: .symtab
Source: Edge.exe.0.dr Static PE information: section name: .xdata
Source: Edge.exe.0.dr Static PE information: section name: .symtab
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Edge\Edge.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34} Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\file.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\{68A1BBBA-1552-44A8-955F-BE6CBFD1BFA8} {5CD9FA9E-C629-40A5-B53C-5627575F9471} Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\file.exe API/Special instruction interceptor: Address: AAE94B
Source: C:\Users\user\Desktop\file.exe API/Special instruction interceptor: Address: AAEA0D
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe API/Special instruction interceptor: Address: B5E94B
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe API/Special instruction interceptor: Address: B5EA0D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A56440 rdtscp 0_2_00A56440
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe TID: 776 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe TID: 776 Thread sleep time: -55000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A23240 GetProcessAffinityMask,GetSystemInfo, 0_2_00A23240
Source: file.exe, 00000000.00000002.2177552989.000001B233845000.00000004.00000020.00020000.00000000.sdmp, Edge.exe, 00000002.00000002.3409909564.0000026654384000.00000004.00000020.00020000.00000000.sdmp, Edge.exe, 00000004.00000002.2349979823.00000261DFE8E000.00000004.00000020.00020000.00000000.sdmp, Edge.exe, 00000005.00000002.2435167248.0000018F72FAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A56440 Start: 00A56449 End: 00A5645F 0_2_00A56440
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_00B06440 Start: 00B06449 End: 00B0645F 2_2_00B06440
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 5_2_00B06440 Start: 00B06449 End: 00B0645F 5_2_00B06440
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A56440 rdtscp 0_2_00A56440

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\file.exe NtMapViewOfSection: Indirect: 0x1B278C80F03 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtMapViewOfSection: Indirect: 0x1B278C809C6 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtUnmapViewOfSection: Indirect: 0x266799F0E97 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtMapViewOfSection: Indirect: 0x261E54C0F03 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtDelayExecution: Direct from: 0xB5EA0D Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtMapViewOfSection: Indirect: 0x261E54C09C6 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtMapViewOfSection: Indirect: 0x266799F0F03 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtMapViewOfSection: Indirect: 0x266799F09C6 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtMapViewOfSection: Indirect: 0x18F784D0F03 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtMapViewOfSection: Indirect: 0x18F784D09C6 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtUnmapViewOfSection: Indirect: 0x1B278C80E97 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtDelayExecution: Direct from: 0xAAE94B Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtDelayExecution: Direct from: 0xB5E94B Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtUnmapViewOfSection: Indirect: 0x261E54C0E97 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe NtUnmapViewOfSection: Indirect: 0x18F784D0E97 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe Code function: 2_2_000002667B1C41A0 GetUserGeoID,gethostname,gethostbyname,GetUserNameW, 2_2_000002667B1C41A0

Stealing of Sensitive Information
barindex
Yara detected DarkVision Rat
Source: Yara match File source: Process Memory Space: file.exe PID: 3776, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edge.exe PID: 7020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edge.exe PID: 3192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edge.exe PID: 6052, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DarkVision Rat
Source: Yara match File source: Process Memory Space: file.exe PID: 3776, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edge.exe PID: 7020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edge.exe PID: 3192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edge.exe PID: 6052, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544033 Sample: file.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 21 fishcrabs99.ddns.net 2->21 33 Suricata IDS alerts for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 41 3 other signatures 2->41 7 file.exe 3 3 2->7         started        11 Edge.exe 2->11         started        13 Edge.exe 2->13         started        signatures3 39 Uses dynamic DNS services 21->39 process4 file5 19 C:\Users\user\AppData\Roamingdgedge.exe, PE32+ 7->19 dropped 43 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 7->43 45 Switches to a custom stack to bypass stack traces 7->45 47 Found direct / indirect Syscall (likely to bypass EDR) 7->47 49 Potentially malicious time measurement code found 7->49 15 Edge.exe 1 3 7->15         started        signatures6 process7 dnsIp8 23 fishcrabs99.ddns.net 178.215.224.241, 49705, 49708, 49710 LVLT-10753US Germany 15->23 25 Multi AV Scanner detection for dropped file 15->25 27 Machine Learning detection for dropped file 15->27 29 Creates autostart registry keys with suspicious names 15->29 31 4 other signatures 15->31 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.215.224.241
 fishcrabs99.ddns.net Germany
10753 LVLT-10753US true

Contacted Domains

Name IP Active
fishcrabs99.ddns.net 178.215.224.241 true