Windows Analysis Report 9JbJZPtaKF.exe

Overview

General Information

Sample Name: 9JbJZPtaKF.exe
Analysis ID: 491916
MD5: 133c10454108aa86301f79a03aa24046
SHA1: 21439179cb8700406d57332079ab311d08b0c9bf
SHA256: de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797
Tags: BitRATexeRAT
Infos:

Most interesting Screenshot:

Detection

AsyncRAT BitRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected BitRAT
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected AntiVM3
Yara detected AsyncRAT
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Creates multiple autostart registry keys
Sigma detected: Suspicious Script Execution From Temp Folder
Writes to foreign memory regions
Connects to many ports of the same IP (likely port scanning)
Bypasses PowerShell execution policy
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Suspicious powershell command line found
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Creates files in alternative data streams (ADS)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores large binary data to the registry
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Sigma detected: PowerShell Script Run in AppData

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 9JbJZPtaKF.exe Virustotal: Detection: 35% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\cf\ct.exe ReversingLabs: Detection: 40%
Machine Learning detection for sample
Source: 9JbJZPtaKF.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 17.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: RegAsm.exe, 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

barindex
Uses 32bit PE files
Source: 9JbJZPtaKF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: Telemetry.Common.pdb## source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000003.309143224.0000000002FD6000.00000004.00000001.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp
Source: Binary string: Telemetry.Common.pdb source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000002.311356379.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 4x nop then push ebp 0_2_00479C70
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 4x nop then push ebp 0_2_00452290
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 4x nop then push ebp 0_2_00459460
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 4x nop then push ebp 0_2_00459460
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 4x nop then push ebp 0_2_0044FF30

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.157.160.136 ports 1,1975,3,1973,7,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 185.157.160.136:1973
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.160.136
Source: RegAsm.exe, 00000004.00000002.561796956.000000000530D000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.441347188.0000000000923000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000004.00000002.552795488.00000000011B6000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000004.00000002.561796956.000000000530D000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: ct.exe String found in binary or memory: http://schemas.microsof
Source: RegAsm.exe, 00000004.00000002.554885816.0000000002EB1000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.443919743.0000000004591000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 9JbJZPtaKF.exe, 9JbJZPtaKF.exe, 00000000.00000000.277536101.0000000000401000.00000020.00020000.sdmp, RegAsm.exe, 00000004.00000002.558074837.00000000042E7000.00000004.00000001.sdmp, ct.exe, 0000000B.00000000.306368311.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000E.00000002.328150567.0000000000401000.00000020.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437697279.0000000000401000.00000020.00020000.sdmp, bg.exe, 00000021.00000002.472166356.0000000000401000.00000020.00020000.sdmp String found in binary or memory: http://www.vb-helper.com/vba.htm
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, bg.exe, 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
Creates a DirectInput object (often for capturing keystrokes)
Source: 9JbJZPtaKF.exe, 00000000.00000002.281098449.000000000079A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a global mouse hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Windows user hook set: 0 mouse low level NULL

System Summary:

barindex
Uses 32bit PE files
Source: 9JbJZPtaKF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_00479C70 0_2_00479C70
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_004034F0 0_2_004034F0
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0040A2FB 0_2_0040A2FB
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0040A330 0_2_0040A330
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0040350C 0_2_0040350C
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0040B50D 0_2_0040B50D
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0045D710 0_2_0045D710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01159530 4_2_01159530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0115D5E0 4_2_0115D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01158C60 4_2_01158C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0115F298 4_2_0115F298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01158918 4_2_01158918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_082F5030 4_2_082F5030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_082F0040 4_2_082F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_082F28C8 4_2_082F28C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_082F57A0 4_2_082F57A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_082F64B0 4_2_082F64B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_083026A0 4_2_083026A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_08300968 4_2_08300968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_08302430 4_2_08302430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_08302423 4_2_08302423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_08302693 4_2_08302693
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Code function: 14_3_00745012 14_3_00745012
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0108C240 22_2_0108C240
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0108C2CB 22_2_0108C2CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787EF70 22_2_0787EF70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787D418 22_2_0787D418
PE file contains executable resources (Code or Archives)
Source: 9JbJZPtaKF.exe Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: ct.exe.0.dr Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: mmybgd.exe.4.dr Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: bg.exe.30.dr Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: 9JbJZPtaKF.exe, 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStub.exe" vs 9JbJZPtaKF.exe
Source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTelemetry.Common.dllj% vs 9JbJZPtaKF.exe
Source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamea.exe vs 9JbJZPtaKF.exe
Source: 9JbJZPtaKF.exe, 00000000.00000003.278461394.00000000007FA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamea.exe2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.12W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.AppData2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.cf2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.ct.exe2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.cp2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.net42W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z. vs 9JbJZPtaKF.exe
PE file contains strange resources
Source: mmybgd.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: bg.exe.30.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: 9JbJZPtaKF.exe Virustotal: Detection: 35%
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe File read: C:\Users\user\Desktop\9JbJZPtaKF.exe Jump to behavior
Source: 9JbJZPtaKF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: unknown Process created: C:\Users\user\Desktop\9JbJZPtaKF.exe 'C:\Users\user\Desktop\9JbJZPtaKF.exe'
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\cf\ct.exe 'C:\Users\user\AppData\Roaming\cf\ct.exe'
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\cf\ct.exe 'C:\Users\user\AppData\Roaming\cf\ct.exe'
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe'
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\bp\bg.exe 'C:\Users\user\AppData\Roaming\bp\bg.exe'
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\bp\bg.exe 'C:\Users\user\AppData\Roaming\bp\bg.exe'
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe File created: C:\Users\user\AppData\Roaming\cf\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\mmybgd.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@38/9@0/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: '+LdhvsUs+pw4B71d2iQwVxAbsVN/CI8V5uDe4+8GBQVVA3p3Gjc+xdz/YAfyI5hJiGX1Qc4myvmMJ/w+spH5TQ==', 'Q9Q7PSgZxC8JyyITnfRxL911PUyfaZ4B9LbPmzb+mTt/Hx4JdEAONTuGgnWRwuZpFkFK8zpSe1AiYCl7xj+smQ==', 'SwekYo1ECeuqyYzN9+9SJx43jCQ3iDEuvx8an3VXRZ5VvDwu6r8n7S25x1XQQQHtwNBO8EdlgYpRrR9hxSi3OaDJloHbpfSIX7DAAcqylN8VBzNW6tmZjNKifIL1xwA4LDpbpStyaKERWCs0tsHzPHFUl5kWt8yUwM92eTaBvKMhkHlzxvXcHzlGigD994SD0m1DxsHVtOEkOp13Q9Z3Li/e0abpcfEMTHK4UqVyya09Zq37PU0rpJS3rhyHttYjZqRu4/aysQPq0e6s4B1avfxO0dO4HVdZUQU/FEhl+AZ+n7UJ3Au+H8NclQ/t1Tduui6+i1Zwej8iIp1Tn541nuWtPpBxKSGVGEFu7Dx6/eFT5pYsQVPLh/exGtUzIw3JmwfntfPzHexAEsrF8md/QqpbSwH77xSUhrGItVHFeHSl8Qn58/XiTG/aJP/Tl0FG/VhJWtbgNxWozxdVMu27o19IhfgkHxmssKtHOWua0SR1lhImFUTfwRnDXzHg0pyoMBQVhsL00Y+7npfSGSyX08/8xS0ZCJKgrp2BS3VtcAFZCH1E7AOcLXf50BvkMGbZcIDnqEKOTySfirbIr9tV2FytyGbppML/LOUQvolqbYNC6INHgD3Nqv8YCDPWotuj1BG+Ca6utbQemo+NNqRHET15rUYxtw7pyzIUNsqJnhKfRjKOKi0Db2U6B8sNhWiwNLoFNGv+aQQbEGixQCdlzXiomD0Nkwu/dU7AYoUqlK1Ze1xnGfRm61u+XoWkynj0LMF4Iywewo3n8Fb1u41cijRDsufRt8DTvvGBjILj3MR0n/g5gv4+WSwJpjCOcQBii8Ps3JQHY2IsxhnW9JRxbRJ0g0h9KKFZOJMcewtw7Nji508TbpZZdXvCF176YBMPWkwpoSYpRXMaYM2Kow62560MOfXTj6ijM8a1c5MeuC6G6UKDEQlSfuVFz/b/37BFHqWPFnSetTW3Bmh4cvA5WU/cgh1I1h9v/6InQqIs7ooVK5UYV6ZBnMkKgI0D+BFcOE6YR4K0i5OdvF/+UJG9m8g7zwvniH4jObkSy/HFFOSZIn2rh8omu1d7k4N2Z2lF0yXc+DFhte5S4ggRoOksVK/QtM2nl+c2oOA0SCg2MquzSKF/ZuRaIkH55x4yuRz/alOrgVryfuWwJrNddFeWph32x3ui9V/HFcQg8HZvsRojo/N+DsyBjDBDHaWqH64kz2POlHKHXnpPZbxi7sPze8yb/pL7DK5c4GoeNI2um1X7XG5dcIQXyfObbFEt+A8V8+03DD1lgok7f4gD0RTFZyyT67Hsx+8TPkKBUW2PS83kD+2sGBK/u66SBrO6WxUghpnV/OtaiWBnDGEzn7fGjvWDIhIO9GwLjNnIjXMVpvpN1ZzofYfOHoWqXV2an622TEUWRrf5zdDQsfLv8zvcOCPtUDmS/sfdIKxjovfWfDr2HB7wRZpfJZDZEna+5if6+ExMTMwlwK/mtxR3/q8zsqKNZB/vX97/gvvuVDie2qKbZBLFKVEkZHmRNx6Hcr7MORPFMLinJIIHoyJV5Okih7WJkqj5Vi40EYeXD5QWH5VLL/4xZFNVMVQ4WNejN+MmhVG8Lx4Cb/2vBfCuCxYIuI0Y3ZTGUXRXBK99WzJt8N/rzz/Lmpl8GBxQETqcRxduY6qcfQZYX1Y1ZHSjGjID8Xwb1zMMMfEqca1O27aJnbOMx1HetlFbgZhM/aTkdveZzbNFLTrJRcvpho5wSov/8gZsdxXVnYJ2W0zKgjHfx/VNjxK80bmInIdKLgiqii/oWQD5Bh96/mRKP7lJ2D/jxmGXtAZXZJeCLBRJ8DaQyJ54wn039c4IjazzhWGC11ShaX8eKYIMkYJ6nFUcRukcK3/aTzb6IfKT3djBfrKQIBJGVlRQhXC5hxr14g2pXwkL9uYjwgyVsJqTUmEaFwexPqDO33rm3i7gqWEyVLXnV8MWwOj2/Kzdw+OFf1Dh+VupTTbwleacwaYO4OH4bx3NzBI5xOQ68pBDXi1uJ6pZ+gGlmX+HB2EYMrFBoHxZHLL9J+KpaLAW1zgPdTdOnaDLGzEd9FdCWR298tQIfVNxPAzSO+CDmc4ndtqYl3NZmEW6VwqrGquN4wFNFxEKTmuecdR9AI2BvmDMP6uxHBsybrRlrjhlPDHy70Tc71HQVmsDqu316O7a4VGftIwqQnFR/HfSD8SU0kQoQzV42Am5FsROnV/FYhRuREmYfWhVLektFh4nRiEdCV4cB7soLWyhPwy9PxBmwL4+CS+doBMyTD+o7/R/jv7JqpgrKTEzdfIx', 'ZsgJx/yojFzRDrd6d1tl2e5cG8L3oZ6FmQh1YzpSUxZuEnTP9PYySENFaUa+/t5aAJnTvz9r/LBQI6HkJIYeYZ+Gph0R+QFDexqLOI/DClAOEeH3TYtMVCw+NXxbE28MqTIoKD+7j4sNOiDy672odGSgFtv8zqSn4R1K6wO+o8THWFlHyzZTscYqga2xRhaFBH+SMHvET0AVHKzK1u5ApDlFaXAmTiRECM6Fo/R5+5EApqf/os/nXJz8B4FO1E28opcXSlGgn08ICyzjWlNgMitkZChzISSokP/sGItGCbBiIITmDVRfK0c4JRuR5VuA5a5lfhDwJfcJmzypRsCZOU52k0Jlly5P9QzZG6hy3n3MidxePqODZZ66fA5fLPOCC9uikA+7cvqOy0DqE1dCzcOtKk3dJpOGp2m07xnLKED7SFJruJzz0szpC84SfWmf+dIf4N7UjVX8Z6BE3I1ZVZYXM+K8Q33Ssmm1NyaWTex8f9yrVHnFNM5gPYE
Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: '+LdhvsUs+pw4B71d2iQwVxAbsVN/CI8V5uDe4+8GBQVVA3p3Gjc+xdz/YAfyI5hJiGX1Qc4myvmMJ/w+spH5TQ==', 'Q9Q7PSgZxC8JyyITnfRxL911PUyfaZ4B9LbPmzb+mTt/Hx4JdEAONTuGgnWRwuZpFkFK8zpSe1AiYCl7xj+smQ==', 'SwekYo1ECeuqyYzN9+9SJx43jCQ3iDEuvx8an3VXRZ5VvDwu6r8n7S25x1XQQQHtwNBO8EdlgYpRrR9hxSi3OaDJloHbpfSIX7DAAcqylN8VBzNW6tmZjNKifIL1xwA4LDpbpStyaKERWCs0tsHzPHFUl5kWt8yUwM92eTaBvKMhkHlzxvXcHzlGigD994SD0m1DxsHVtOEkOp13Q9Z3Li/e0abpcfEMTHK4UqVyya09Zq37PU0rpJS3rhyHttYjZqRu4/aysQPq0e6s4B1avfxO0dO4HVdZUQU/FEhl+AZ+n7UJ3Au+H8NclQ/t1Tduui6+i1Zwej8iIp1Tn541nuWtPpBxKSGVGEFu7Dx6/eFT5pYsQVPLh/exGtUzIw3JmwfntfPzHexAEsrF8md/QqpbSwH77xSUhrGItVHFeHSl8Qn58/XiTG/aJP/Tl0FG/VhJWtbgNxWozxdVMu27o19IhfgkHxmssKtHOWua0SR1lhImFUTfwRnDXzHg0pyoMBQVhsL00Y+7npfSGSyX08/8xS0ZCJKgrp2BS3VtcAFZCH1E7AOcLXf50BvkMGbZcIDnqEKOTySfirbIr9tV2FytyGbppML/LOUQvolqbYNC6INHgD3Nqv8YCDPWotuj1BG+Ca6utbQemo+NNqRHET15rUYxtw7pyzIUNsqJnhKfRjKOKi0Db2U6B8sNhWiwNLoFNGv+aQQbEGixQCdlzXiomD0Nkwu/dU7AYoUqlK1Ze1xnGfRm61u+XoWkynj0LMF4Iywewo3n8Fb1u41cijRDsufRt8DTvvGBjILj3MR0n/g5gv4+WSwJpjCOcQBii8Ps3JQHY2IsxhnW9JRxbRJ0g0h9KKFZOJMcewtw7Nji508TbpZZdXvCF176YBMPWkwpoSYpRXMaYM2Kow62560MOfXTj6ijM8a1c5MeuC6G6UKDEQlSfuVFz/b/37BFHqWPFnSetTW3Bmh4cvA5WU/cgh1I1h9v/6InQqIs7ooVK5UYV6ZBnMkKgI0D+BFcOE6YR4K0i5OdvF/+UJG9m8g7zwvniH4jObkSy/HFFOSZIn2rh8omu1d7k4N2Z2lF0yXc+DFhte5S4ggRoOksVK/QtM2nl+c2oOA0SCg2MquzSKF/ZuRaIkH55x4yuRz/alOrgVryfuWwJrNddFeWph32x3ui9V/HFcQg8HZvsRojo/N+DsyBjDBDHaWqH64kz2POlHKHXnpPZbxi7sPze8yb/pL7DK5c4GoeNI2um1X7XG5dcIQXyfObbFEt+A8V8+03DD1lgok7f4gD0RTFZyyT67Hsx+8TPkKBUW2PS83kD+2sGBK/u66SBrO6WxUghpnV/OtaiWBnDGEzn7fGjvWDIhIO9GwLjNnIjXMVpvpN1ZzofYfOHoWqXV2an622TEUWRrf5zdDQsfLv8zvcOCPtUDmS/sfdIKxjovfWfDr2HB7wRZpfJZDZEna+5if6+ExMTMwlwK/mtxR3/q8zsqKNZB/vX97/gvvuVDie2qKbZBLFKVEkZHmRNx6Hcr7MORPFMLinJIIHoyJV5Okih7WJkqj5Vi40EYeXD5QWH5VLL/4xZFNVMVQ4WNejN+MmhVG8Lx4Cb/2vBfCuCxYIuI0Y3ZTGUXRXBK99WzJt8N/rzz/Lmpl8GBxQETqcRxduY6qcfQZYX1Y1ZHSjGjID8Xwb1zMMMfEqca1O27aJnbOMx1HetlFbgZhM/aTkdveZzbNFLTrJRcvpho5wSov/8gZsdxXVnYJ2W0zKgjHfx/VNjxK80bmInIdKLgiqii/oWQD5Bh96/mRKP7lJ2D/jxmGXtAZXZJeCLBRJ8DaQyJ54wn039c4IjazzhWGC11ShaX8eKYIMkYJ6nFUcRukcK3/aTzb6IfKT3djBfrKQIBJGVlRQhXC5hxr14g2pXwkL9uYjwgyVsJqTUmEaFwexPqDO33rm3i7gqWEyVLXnV8MWwOj2/Kzdw+OFf1Dh+VupTTbwleacwaYO4OH4bx3NzBI5xOQ68pBDXi1uJ6pZ+gGlmX+HB2EYMrFBoHxZHLL9J+KpaLAW1zgPdTdOnaDLGzEd9FdCWR298tQIfVNxPAzSO+CDmc4ndtqYl3NZmEW6VwqrGquN4wFNFxEKTmuecdR9AI2BvmDMP6uxHBsybrRlrjhlPDHy70Tc71HQVmsDqu316O7a4VGftIwqQnFR/HfSD8SU0kQoQzV42Am5FsROnV/FYhRuREmYfWhVLektFh4nRiEdCV4cB7soLWyhPwy9PxBmwL4+CS+doBMyTD+o7/R/jv7JqpgrKTEzdfIx', 'ZsgJx/yojFzRDrd6d1tl2e5cG8L3oZ6FmQh1YzpSUxZuEnTP9PYySENFaUa+/t5aAJnTvz9r/LBQI6HkJIYeYZ+Gph0R+QFDexqLOI/DClAOEeH3TYtMVCw+NXxbE28MqTIoKD+7j4sNOiDy672odGSgFtv8zqSn4R1K6wO+o8THWFlHyzZTscYqga2xRhaFBH+SMHvET0AVHKzK1u5ApDlFaXAmTiRECM6Fo/R5+5EApqf/os/nXJz8B4FO1E28opcXSlGgn08ICyzjWlNgMitkZChzISSokP/sGItGCbBiIITmDVRfK0c4JRuR5VuA5a5lfhDwJfcJmzypRsCZOU52k0Jlly5P9QzZG6hy3n3MidxePqODZZ66fA5fLPOCC9uikA+7cvqOy0DqE1dCzcOtKk3dJpOGp2m07xnLKED7SFJruJzz0szpC84SfWmf+dIf4N7UjVX8Z6BE3I1ZVZYXM+K8Q33Ssmm1NyaWTex8f9yrVHnFNM5gPYE
Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: '+LdhvsUs+pw4B71d2iQwVxAbsVN/CI8V5uDe4+8GBQVVA3p3Gjc+xdz/YAfyI5hJiGX1Qc4myvmMJ/w+spH5TQ==', 'Q9Q7PSgZxC8JyyITnfRxL911PUyfaZ4B9LbPmzb+mTt/Hx4JdEAONTuGgnWRwuZpFkFK8zpSe1AiYCl7xj+smQ==', 'SwekYo1ECeuqyYzN9+9SJx43jCQ3iDEuvx8an3VXRZ5VvDwu6r8n7S25x1XQQQHtwNBO8EdlgYpRrR9hxSi3OaDJloHbpfSIX7DAAcqylN8VBzNW6tmZjNKifIL1xwA4LDpbpStyaKERWCs0tsHzPHFUl5kWt8yUwM92eTaBvKMhkHlzxvXcHzlGigD994SD0m1DxsHVtOEkOp13Q9Z3Li/e0abpcfEMTHK4UqVyya09Zq37PU0rpJS3rhyHttYjZqRu4/aysQPq0e6s4B1avfxO0dO4HVdZUQU/FEhl+AZ+n7UJ3Au+H8NclQ/t1Tduui6+i1Zwej8iIp1Tn541nuWtPpBxKSGVGEFu7Dx6/eFT5pYsQVPLh/exGtUzIw3JmwfntfPzHexAEsrF8md/QqpbSwH77xSUhrGItVHFeHSl8Qn58/XiTG/aJP/Tl0FG/VhJWtbgNxWozxdVMu27o19IhfgkHxmssKtHOWua0SR1lhImFUTfwRnDXzHg0pyoMBQVhsL00Y+7npfSGSyX08/8xS0ZCJKgrp2BS3VtcAFZCH1E7AOcLXf50BvkMGbZcIDnqEKOTySfirbIr9tV2FytyGbppML/LOUQvolqbYNC6INHgD3Nqv8YCDPWotuj1BG+Ca6utbQemo+NNqRHET15rUYxtw7pyzIUNsqJnhKfRjKOKi0Db2U6B8sNhWiwNLoFNGv+aQQbEGixQCdlzXiomD0Nkwu/dU7AYoUqlK1Ze1xnGfRm61u+XoWkynj0LMF4Iywewo3n8Fb1u41cijRDsufRt8DTvvGBjILj3MR0n/g5gv4+WSwJpjCOcQBii8Ps3JQHY2IsxhnW9JRxbRJ0g0h9KKFZOJMcewtw7Nji508TbpZZdXvCF176YBMPWkwpoSYpRXMaYM2Kow62560MOfXTj6ijM8a1c5MeuC6G6UKDEQlSfuVFz/b/37BFHqWPFnSetTW3Bmh4cvA5WU/cgh1I1h9v/6InQqIs7ooVK5UYV6ZBnMkKgI0D+BFcOE6YR4K0i5OdvF/+UJG9m8g7zwvniH4jObkSy/HFFOSZIn2rh8omu1d7k4N2Z2lF0yXc+DFhte5S4ggRoOksVK/QtM2nl+c2oOA0SCg2MquzSKF/ZuRaIkH55x4yuRz/alOrgVryfuWwJrNddFeWph32x3ui9V/HFcQg8HZvsRojo/N+DsyBjDBDHaWqH64kz2POlHKHXnpPZbxi7sPze8yb/pL7DK5c4GoeNI2um1X7XG5dcIQXyfObbFEt+A8V8+03DD1lgok7f4gD0RTFZyyT67Hsx+8TPkKBUW2PS83kD+2sGBK/u66SBrO6WxUghpnV/OtaiWBnDGEzn7fGjvWDIhIO9GwLjNnIjXMVpvpN1ZzofYfOHoWqXV2an622TEUWRrf5zdDQsfLv8zvcOCPtUDmS/sfdIKxjovfWfDr2HB7wRZpfJZDZEna+5if6+ExMTMwlwK/mtxR3/q8zsqKNZB/vX97/gvvuVDie2qKbZBLFKVEkZHmRNx6Hcr7MORPFMLinJIIHoyJV5Okih7WJkqj5Vi40EYeXD5QWH5VLL/4xZFNVMVQ4WNejN+MmhVG8Lx4Cb/2vBfCuCxYIuI0Y3ZTGUXRXBK99WzJt8N/rzz/Lmpl8GBxQETqcRxduY6qcfQZYX1Y1ZHSjGjID8Xwb1zMMMfEqca1O27aJnbOMx1HetlFbgZhM/aTkdveZzbNFLTrJRcvpho5wSov/8gZsdxXVnYJ2W0zKgjHfx/VNjxK80bmInIdKLgiqii/oWQD5Bh96/mRKP7lJ2D/jxmGXtAZXZJeCLBRJ8DaQyJ54wn039c4IjazzhWGC11ShaX8eKYIMkYJ6nFUcRukcK3/aTzb6IfKT3djBfrKQIBJGVlRQhXC5hxr14g2pXwkL9uYjwgyVsJqTUmEaFwexPqDO33rm3i7gqWEyVLXnV8MWwOj2/Kzdw+OFf1Dh+VupTTbwleacwaYO4OH4bx3NzBI5xOQ68pBDXi1uJ6pZ+gGlmX+HB2EYMrFBoHxZHLL9J+KpaLAW1zgPdTdOnaDLGzEd9FdCWR298tQIfVNxPAzSO+CDmc4ndtqYl3NZmEW6VwqrGquN4wFNFxEKTmuecdR9AI2BvmDMP6uxHBsybrRlrjhlPDHy70Tc71HQVmsDqu316O7a4VGftIwqQnFR/HfSD8SU0kQoQzV42Am5FsROnV/FYhRuREmYfWhVLektFh4nRiEdCV4cB7soLWyhPwy9PxBmwL4+CS+doBMyTD+o7/R/jv7JqpgrKTEzdfIx', 'ZsgJx/yojFzRDrd6d1tl2e5cG8L3oZ6FmQh1YzpSUxZuEnTP9PYySENFaUa+/t5aAJnTvz9r/LBQI6HkJIYeYZ+Gph0R+QFDexqLOI/DClAOEeH3TYtMVCw+NXxbE28MqTIoKD+7j4sNOiDy672odGSgFtv8zqSn4R1K6wO+o8THWFlHyzZTscYqga2xRhaFBH+SMHvET0AVHKzK1u5ApDlFaXAmTiRECM6Fo/R5+5EApqf/os/nXJz8B4FO1E28opcXSlGgn08ICyzjWlNgMitkZChzISSokP/sGItGCbBiIITmDVRfK0c4JRuR5VuA5a5lfhDwJfcJmzypRsCZOU52k0Jlly5P9QzZG6hy3n3MidxePqODZZ66fA5fLPOCC9uikA+7cvqOy0DqE1dCzcOtKk3dJpOGp2m07xnLKED7SFJruJzz0szpC84SfWmf+dIf4N7UjVX8Z6BE3I1ZVZYXM+K8Q33Ssmm1NyaWTex8f9yrVHnFNM5gPYE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\127138ab06d688bf145f78193fb1c3e5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\df4Rtg34dFjwr
Source: 9JbJZPtaKF.exe, 00000000.00000002.281002165.0000000000482000.00000004.00020000.sdmp, ct.exe, 0000000B.00000002.311342011.0000000000482000.00000004.00020000.sdmp, ct.exe, 0000000E.00000002.328236678.0000000000482000.00000004.00020000.sdmp, mmybgd.exe, 0000001E.00000002.442651359.0000000000482000.00000004.00020000.sdmp Binary or memory string: @*\AC:\Users\Pc\Desktop\Private Stubs\yaxil suge\ExtendedRTFCode.vbp
Source: 9JbJZPtaKF.exe, 00000000.00000000.277536101.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000B.00000000.306368311.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000E.00000002.328150567.0000000000401000.00000020.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437697279.0000000000401000.00000020.00020000.sdmp, bg.exe, 00000021.00000002.472166356.0000000000401000.00000020.00020000.sdmp Binary or memory string: /@ H*\AC:\Users\Pc\Desktop\Private Stubs\yaxil suge\ExtendedRTFCode.vbp
Source: 9JbJZPtaKF.exe Binary or memory string: H*\AC:\Users\Pc\Desktop\Private Stubs\yaxil suge\ExtendedRTFCode.vbp
Source: 9JbJZPtaKF.exe String found in binary or memory: eated to reference specifically\ulnone \par Visual Basic Programmer's Journal \par VB2Max \par PlanetCodeSource \par \fs26 VB-helper\fs24 \par \ul\b Known Code Sources\ulnone\b0 \par \pard\nowidctlpar\fs26 Public Function RichWordOver() As String \pa
Source: 9JbJZPtaKF.exe String found in binary or memory: 'Ready-To-Run Visual Basic Algorithms, Second Edition \par 'http://www.vb-helper.com/vba.htm \par modified for class usage by adding Sub \b MouseMove\b0 to the class as it needs to know about X and Y for mouse. \b \par \par \b0 Span Example in VB H
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: Telemetry.Common.pdb## source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000003.309143224.0000000002FD6000.00000004.00000001.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp
Source: Binary string: Telemetry.Common.pdb source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000002.311356379.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' Jump to behavior
.NET source code contains potential unpacker
Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_3_007DA036 push 00000000h; iretd 0_3_007DA27A
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0040BA4D push ebx; iretd 0_2_0040BA4E
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0040BA50 push ebx; iretd 0_2_0040BA5E
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Code function: 0_2_0040BA01 push ebx; iretd 0_2_0040BA3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_082F1C92 pushfd ; retf 4_2_082F1C99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_08308130 push ss; iretd 4_2_08308134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_083099DA pushfd ; retn 0000h 4_2_083099DE
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Code function: 11_3_006C9966 push 00000000h; iretd 11_3_006C99CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787C591 push cs; iretd 22_2_0787C592
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787A5D1 push es; iretd 22_2_0787A5D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787C5EB push cs; iretd 22_2_0787C5F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787C521 push cs; iretd 22_2_0787C522
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787C543 push cs; iretd 22_2_0787C54A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787C540 push cs; iretd 22_2_0787C542
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787E347 push ds; iretd 22_2_0787E34A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_0787E19F push ds; iretd 22_2_0787E1A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_07872BAA pushad ; iretd 22_2_07872BB1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe File created: C:\Users\user\AppData\Roaming\cf\ct.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe File created: C:\Users\user\AppData\Roaming\bp\bg.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\mmybgd.exe Jump to dropped file

Boot Survival:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bm Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cp Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cp Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bm Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: iconPdf.png
Creates files in alternative data streams (ADS)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local:28-09-2021 Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value created or modified: HKEY_CURRENT_USER\Software\37C355B9F362AD041939 4E47C429C681B3A23CF9BF8CDF60CAB79FBEDDB88B39B406A61CE21097DD7FE6 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTR
Yara detected AsyncRAT
Source: Yara match File source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 9JbJZPtaKF.exe, 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, ct.exe, 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, RegAsm.exe, 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, ct.exe, 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, RegAsm.exe, 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3404 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3404 Thread sleep count: 77 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5476 Thread sleep count: 115 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5476 Thread sleep count: 9646 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6620 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5060 Thread sleep time: -350000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2276 Thread sleep time: -1844674407370954s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9646 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 943 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 496 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: powershell.exe, 00000016.00000002.444912196.0000000004886000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: RegAsm.exe, 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmp Binary or memory string: Bm:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: RegAsm.exe, 00000004.00000002.561723054.00000000052F5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CAB008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F49008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8D8008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A80008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F4B008
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe''
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cf\ct.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\AppData\Roaming\bp\bg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: RegAsm.exe, 00000004.00000003.410300499.00000000061F8000.00000004.00000001.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000004.00000002.554377329.00000000016E0000.00000002.00020000.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000004.00000002.554377329.00000000016E0000.00000002.00020000.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000004.00000002.554377329.00000000016E0000.00000002.00020000.sdmp, RegAsm.exe, 0000001F.00000002.556205526.0000000001370000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information:

barindex
Yara detected BitRAT
Source: Yara match File source: 31.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.476289404.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.491911455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bg.exe PID: 6184, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected BitRAT
Source: Yara match File source: 31.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.476289404.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.491911455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bg.exe PID: 6184, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491916 Sample: 9JbJZPtaKF.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 74 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected BitRAT 2->78 80 8 other signatures 2->80 10 9JbJZPtaKF.exe 1 2 2->10         started        14 ct.exe 2->14         started        16 bg.exe 2->16         started        18 2 other processes 2->18 process3 file4 62 C:\Users\user\AppData\Roaming\cf\ct.exe, PE32 10->62 dropped 90 Creates multiple autostart registry keys 10->90 92 Writes to foreign memory regions 10->92 94 Allocates memory in foreign processes 10->94 20 RegAsm.exe 1 4 10->20         started        24 RegAsm.exe 10->24         started        96 Multi AV Scanner detection for dropped file 14->96 98 Machine Learning detection for dropped file 14->98 100 Sample uses process hollowing technique 14->100 26 RegAsm.exe 3 14->26         started        102 Injects a PE file into a foreign processes 16->102 28 RegAsm.exe 16->28         started        37 2 other processes 16->37 31 RegAsm.exe 18->31         started        33 RegAsm.exe 2 18->33         started        35 RegAsm.exe 18->35         started        39 3 other processes 18->39 signatures5 process6 dnsIp7 64 185.157.160.136, 1973, 1975, 49749 OBE-EUROPEObenetworkEuropeSE Sweden 20->64 60 C:\Users\user\AppData\Local\Temp\mmybgd.exe, PE32 20->60 dropped 41 cmd.exe 1 20->41         started        104 Hides threads from debuggers 31->104 file8 signatures9 process10 signatures11 86 Suspicious powershell command line found 41->86 88 Bypasses PowerShell execution policy 41->88 44 powershell.exe 14 41->44         started        46 conhost.exe 41->46         started        process12 process13 48 mmybgd.exe 1 2 44->48         started        file14 56 C:\Users\user\AppData\Roaming\bp\bg.exe, PE32 48->56 dropped 66 Machine Learning detection for dropped file 48->66 68 Creates multiple autostart registry keys 48->68 70 Writes to foreign memory regions 48->70 72 3 other signatures 48->72 52 RegAsm.exe 3 48->52         started        signatures15 process16 file17 58 C:\Users\user\AppData\Local:28-09-2021, ASCII 52->58 dropped 82 Creates files in alternative data streams (ADS) 52->82 84 Hides threads from debuggers 52->84 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.157.160.136
 unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true