Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Test.exe

Overview

General Information

Sample name:Test.exe
Analysis ID:1595255
MD5:e3347a9a35a3397e489ae738b27f7cc7
SHA1:e72a6f4f1fed3513aeef20986cb362e5d2fdfebe
SHA256:16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82
Tags:exeJalapenomalwareuser-Joker
Infos:

Detection

Discord Rat
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Discord Rat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Test.exe (PID: 4612 cmdline: "C:\Users\user\Desktop\Test.exe" MD5: E3347A9A35A3397E489AE738B27F7CC7)
    • WerFault.exe (PID: 1268 cmdline: C:\Windows\system32\WerFault.exe -u -p 4612 -s 2304 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

Threatname: Discord Rat

{"Discord Token": "MTMzMDYxOTg4NTMzMTQxNTEyMA.GvolIj.JCM-OtlpaFBedk3GoFB_aY1Hi31oF4XpkLv81A", "Server ID": "1330576263034699828"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Test.exeJoeSecurity_DiscordRatYara detected Discord RatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2060867512.00000252ACFE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DiscordRatYara detected Discord RatJoe Security
      Process Memory Space: Test.exe PID: 4612JoeSecurity_DiscordRatYara detected Discord RatJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.Test.exe.252acfe0000.0.unpackJoeSecurity_DiscordRatYara detected Discord RatJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Test.exeAvira: detected
          Found malware configuration
          Source: Test.exeMalware Configuration Extractor: Discord Rat {"Discord Token": "MTMzMDYxOTg4NTMzMTQxNTEyMA.GvolIj.JCM-OtlpaFBedk3GoFB_aY1Hi31oF4XpkLv81A", "Server ID": "1330576263034699828"}
          Multi AV Scanner detection for submitted file
          Source: Test.exeVirustotal: Detection: 81%Perma Link
          Source: Test.exeReversingLabs: Detection: 73%
          Yara detected Discord Rat
          Source: Yara matchFile source: Test.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Test.exe.252acfe0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2060867512.00000252ACFE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Test.exe PID: 4612, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.9% probability
          Machine Learning detection for sample
          Source: Test.exeJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: Test.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: em.pdb>&] source: Test.exe, 00000000.00000002.2565940777.00000252C78EA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: .pdb{ source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\System.pdbCK source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbJ_ source: Test.exe, 00000000.00000002.2565940777.00000252C7862000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\Desktop\Test.PDB source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb) source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb;^ source: Test.exe, 00000000.00000002.2565940777.00000252C7862000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78EA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.pdbIL source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb<1 source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C7862000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb=j source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78EA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Desktop\Test.PDB source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: Test.PDB source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERC748.tmp.dmp.4.dr
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: +zX391ttNpZOjPnP5jGUtA==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: Joe Sandbox ViewIP Address: 162.159.136.234 162.159.136.234
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: +zX391ttNpZOjPnP5jGUtA==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficDNS traffic detected: DNS query: gateway.discord.gg
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:58:00 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nwsgl0EYy%2FchUL6GSyaix%2BQjidMb4hrcdNi%2FIentxGzaZPRWhHzyZb4vxH00aMp7CBopw5l70m%2F9665Sblxw%2BFv1ziR5LjI%2BaElI4HuAOcG6HR%2B80zQcHwNEWFrr2%2BadljSEyg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 904feb8fbca81795-EWR
          Source: Test.exe, 00000000.00000002.2565940777.00000252C78D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftF.8
          Source: Test.exe, 00000000.00000002.2565385467.00000252AEE85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
          Source: Test.exe, 00000000.00000002.2565385467.00000252AEDD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
          Source: Test.exeString found in binary or memory: http://www.google.com/maps/place/
          Source: Test.exeString found in binary or memory: https://discord.com/api/v9/channels/
          Source: Test.exeString found in binary or memory: https://discord.com/api/v9/guilds/
          Source: Test.exeString found in binary or memory: https://file.io/
          Source: Test.exe, 00000000.00000002.2565385467.00000252AEE69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
          Source: Test.exe, 00000000.00000002.2565385467.00000252AEE69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
          Source: Test.exe, 00000000.00000002.2565385467.00000252AEE69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
          Source: Test.exe, 00000000.00000002.2565385467.00000252AEDD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
          Source: Test.exeString found in binary or memory: https://geolocation-db.com/json
          Source: Test.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
          Source: Test.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
          Source: Test.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
          Source: Test.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
          Source: Test.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.5:49704 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Test.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Test.exe.252acfe0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2060867512.00000252ACFE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Test.exe PID: 4612, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Test.exeCode function: 0_2_00007FF848F313FA0_2_00007FF848F313FA
          Source: C:\Users\user\Desktop\Test.exeCode function: 0_2_00007FF848F312D10_2_00007FF848F312D1
          Source: C:\Users\user\Desktop\Test.exeCode function: 0_2_00007FF848F312E00_2_00007FF848F312E0
          Source: C:\Users\user\Desktop\Test.exeCode function: 0_2_00007FF848F313D30_2_00007FF848F313D3
          Source: C:\Users\user\Desktop\Test.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4612 -s 2304
          Source: Test.exeStatic PE information: No import functions for PE file found
          Source: Test.exe, 00000000.00000002.2564906222.00000252AD1FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Test.exe
          Source: Test.exe, 00000000.00000000.2060867512.00000252ACFF6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Test.exe
          Source: Test.exeBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Test.exe
          Source: classification engineClassification label: mal88.troj.evad.winEXE@2/5@1/1
          Source: C:\Users\user\Desktop\Test.exeMutant created: NULL
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4612
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\1ebe5873-27ed-41af-8a9d-fe01e7a7a4c7Jump to behavior
          Source: Test.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Test.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\Test.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Test.exeVirustotal: Detection: 81%
          Source: Test.exeReversingLabs: Detection: 73%
          Source: C:\Users\user\Desktop\Test.exeFile read: C:\Users\user\Desktop\Test.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Test.exe "C:\Users\user\Desktop\Test.exe"
          Source: C:\Users\user\Desktop\Test.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4612 -s 2304
          Source: C:\Users\user\Desktop\Test.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: websocket.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Test.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Test.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Test.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Test.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: Test.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: em.pdb>&] source: Test.exe, 00000000.00000002.2565940777.00000252C78EA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: .pdb{ source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\System.pdbCK source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbJ_ source: Test.exe, 00000000.00000002.2565940777.00000252C7862000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\Desktop\Test.PDB source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb) source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb;^ source: Test.exe, 00000000.00000002.2565940777.00000252C7862000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78EA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.pdbIL source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb<1 source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C7862000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb=j source: Test.exe, 00000000.00000002.2565940777.00000252C78A2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERC748.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Test.exe, 00000000.00000002.2565940777.00000252C78EA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\Desktop\Test.PDB source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: Test.PDB source: Test.exe, 00000000.00000002.2564456106.00000099A0DF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERC748.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERC748.tmp.dmp.4.dr

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Test.exe, Program.cs.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
          Source: Test.exe, Program.cs.Net Code: password
          Source: Test.exe, Program.cs.Net Code: webcampic
          Source: Test.exe, Program.cs.Net Code: select_cam
          Source: Test.exe, Program.cs.Net Code: get_cams
          Source: Test.exe, Program.cs.Net Code: get_tokens
          Source: Test.exeStatic PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
          Source: C:\Users\user\Desktop\Test.exeCode function: 0_2_00007FF848F33FFD push ebx; retf 000Bh0_2_00007FF848F33FCA
          Source: C:\Users\user\Desktop\Test.exeCode function: 0_2_00007FF848F33F9D push ebx; retf 000Bh0_2_00007FF848F33FCA
          Source: C:\Users\user\Desktop\Test.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\Test.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Test.exeMemory allocated: 252AD320000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Test.exeMemory allocated: 252C6DD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Test.exe TID: 3276Thread sleep count: 257 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Test.exe TID: 3276Thread sleep count: 243 > 30Jump to behavior
          Source: Amcache.hve.4.drBinary or memory string: VMware
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Test.exe, 00000000.00000002.2564906222.00000252AD267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Amcache.hve.4.drBinary or memory string: vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.4.drBinary or memory string: VMware20,1
          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\Test.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Test.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Test.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Test.exeQueries volume information: C:\Users\user\Desktop\Test.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Test.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Test.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Contains functionality to disable the Task Manager (.Net Source)
          Source: Test.exe, Program.cs.Net Code: DisableTaskManager
          Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Test.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Test.exe.252acfe0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2060867512.00000252ACFE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Test.exe PID: 4612, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Test.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Test.exe.252acfe0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2060867512.00000252ACFE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Test.exe PID: 4612, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          Process Injection          		3
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		11
          Disable or Modify Tools          		LSASS Memory21
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Process Injection          		Security Account Manager3
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information          		NTDS12
          System Information Discovery          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Timestomp          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.