Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Client.exe

Overview

General Information

Sample name:Client.exe
Analysis ID:1394070
MD5:304d41baaa716a6d582877785f93ef68
SHA1:a2b16217d6326c54fbd7ca5586519d50ce3e20ca
SHA256:760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea
Tags:exeUKR
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Client.exe (PID: 7308 cmdline: C:\Users\user\Desktop\Client.exe MD5: 304D41BAAA716A6D582877785F93EF68)
    • cmd.exe (PID: 7396 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7476 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB214.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7504 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • WindowsDefender.exe (PID: 7552 cmdline: "C:\Users\user\AppData\Roaming\WindowsDefender.exe" MD5: 304D41BAAA716A6D582877785F93EF68)
  • WindowsDefender.exe (PID: 7528 cmdline: C:\Users\user\AppData\Roaming\WindowsDefender.exe MD5: 304D41BAAA716A6D582877785F93EF68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Client.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    Client.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65f7:$a1: havecamera
    • 0x9b20:$a2: timeout 3 > NUL
    • 0x9b40:$a3: START "" "
    • 0x99cb:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a80:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    Client.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a80:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x99cb:$s2: L2Mgc2NodGFza3MgL2
    • 0x994a:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9998:$s4: VmlydHVhbFByb3RlY3Q
    Client.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9d02:$q1: Select * from Win32_CacheMemory
    • 0x9d42:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d90:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9dde:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    Client.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa17a:$s1: DcRatBy

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\WindowsDefender.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\WindowsDefender.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x65f7:$a1: havecamera
      • 0x9b20:$a2: timeout 3 > NUL
      • 0x9b40:$a3: START "" "
      • 0x99cb:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x9a80:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      C:\Users\user\AppData\Roaming\WindowsDefender.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
      • 0x9a80:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
      • 0x99cb:$s2: L2Mgc2NodGFza3MgL2
      • 0x994a:$s3: QW1zaVNjYW5CdWZmZXI
      • 0x9998:$s4: VmlydHVhbFByb3RlY3Q
      C:\Users\user\AppData\Roaming\WindowsDefender.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x9d02:$q1: Select * from Win32_CacheMemory
      • 0x9d42:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x9d90:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x9dde:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      C:\Users\user\AppData\Roaming\WindowsDefender.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
      • 0xa17a:$s1: DcRatBy

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x67a7:$a1: havecamera
        • 0x9cd0:$a2: timeout 3 > NUL
        • 0xd1ee:$a2: timeout 3 > NUL
        • 0xe658:$a2: timeout 3 > NUL
        • 0x9cf0:$a3: START "" "
        • 0x9b7b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
        • 0x9c30:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
        00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x63f7:$a1: havecamera
          • 0x9920:$a2: timeout 3 > NUL
          • 0x9940:$a3: START "" "
          • 0x97cb:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9880:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          00000008.00000002.1718869838.000000000066C000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x68dc:$b2: DcRat By qwqdanchun1
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.Client.exe.580000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0.0.Client.exe.580000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
            • 0x65f7:$a1: havecamera
            • 0x9b20:$a2: timeout 3 > NUL
            • 0x9b40:$a3: START "" "
            • 0x99cb:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
            • 0x9a80:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
            0.0.Client.exe.580000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x9a80:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x99cb:$s2: L2Mgc2NodGFza3MgL2
            • 0x994a:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x9998:$s4: VmlydHVhbFByb3RlY3Q
            0.0.Client.exe.580000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
            • 0x9d02:$q1: Select * from Win32_CacheMemory
            • 0x9d42:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
            • 0x9d90:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
            • 0x9dde:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
            0.0.Client.exe.580000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
            • 0xa17a:$s1: DcRatBy
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\Client.exe, ParentImage: C:\Users\user\Desktop\Client.exe, ParentProcessId: 7308, ParentProcessName: Client.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit, ProcessId: 7396, ProcessName: cmd.exe
            Sigma detected: Invoke-Obfuscation VAR+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\Client.exe, ParentImage: C:\Users\user\Desktop\Client.exe, ParentProcessId: 7308, ParentProcessName: Client.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit, ProcessId: 7396, ProcessName: cmd.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7396, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' , ProcessId: 7476, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Client.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeAvira: detection malicious, Label: HEUR/AGEN.1307404
            Multi AV Scanner detection for domain / URL
            Source: 6.tcp.eu.ngrok.ioVirustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeVirustotal: Detection: 75%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Client.exeReversingLabs: Detection: 84%
            Source: Client.exeVirustotal: Detection: 75%Perma Link
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Client.exeJoe Sandbox ML: detected
            Source: Client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 3.69.157.220 ports 16234,1,2,3,4,6
            Source: global trafficTCP traffic: 18.197.239.109 ports 16234,1,2,3,4,6
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 3.69.157.220:16234
            Source: global trafficTCP traffic: 192.168.2.4:49745 -> 18.197.239.109:16234
            Source: Joe Sandbox ViewIP Address: 18.197.239.109 18.197.239.109
            Source: Joe Sandbox ViewIP Address: 3.69.157.220 3.69.157.220
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: 6.tcp.eu.ngrok.io
            Source: Client.exe, 00000000.00000002.1674383433.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, WindowsDefender.exe, 00000007.00000002.2912950876.0000000002F84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Client.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Client.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Client.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: Client.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: Client.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.1718869838.000000000066C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000007.00000002.2912950876.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000000.00000002.1673920516.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000007.00000002.2911936077.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000007.00000002.2912950876.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000000.00000002.1674383433.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.1719419411.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: WindowsDefender.exe PID: 7528, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: WindowsDefender.exe PID: 7552, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeCode function: 7_2_00007FFD9B8806007_2_00007FFD9B880600
            Source: C:\Users\user\Desktop\Client.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Client.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeSection loaded: msasn1.dllJump to behavior
            Source: Client.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Client.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: Client.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: Client.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.1718869838.000000000066C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000007.00000002.2912950876.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000000.00000002.1673920516.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000007.00000002.2911936077.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000007.00000002.2912950876.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000000.00000002.1674383433.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.1719419411.0000000002421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: WindowsDefender.exe PID: 7528, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: WindowsDefender.exe PID: 7552, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: Client.exe, Settings.csBase64 encoded string: 'iRy9eetP9vA+mAVFHnKtwdw1J0BeZQ/7ZnbPj1i2gcg/CaraNQ9P2ZeSlYe7XvCDUwwQT8sV9mGDLAU+q2F2Xw==', 'pfbVhE1H/ODJ5UCbf2rVECW5Mrdwg5pRJ55qgRYMxFitY41YMNRrmhhuKrcbjohBXmicO3zRaLN+AvXUoyRPTGRoXbN/Y3SAL/u26BmZZlo=', 'TWC6nJEl6GEDESMbY2s4aTfHxmbIqV00+U/dc/nyNZNDL/woynPNEGYoxCP+ZQPzxujjQvN+sciwGW0i8/xk+Q==', 'TENy8+9t/lGmmjILf0drwFqz9Znwolx1zzO8U1rAjsQ175yf/pRyprsQ4Y82SGMmuf0sC4BrrL9CJOY05PxnU9Ef5EQY/8ZAY48mmnD0uheQYEjkbAGhKDiENKMNRZURQIQQJHVKSdgF19CLHxAWK4huFjfG1q3/KPdDtoJKbDQKl6Z1y5PZbokOAfH9oIei68XqppLfrlJCZavP9hK8Y4epTtXe+w5fAnouvGAy7eNDbnt6oUrp5b2H9fKdTTZd9gKqZdUSdsaL2u6hA3l6WlD/QdwMmKXj0kxJJoffp7+nkt5ttWg8x++OWE7TWILFjTe41sD3sZ2fnDOOOmRY5be57DuyxFewaoZ/kT5YsKMvZHuKlFYuTuevEuOg/4yNlMuZifKYCofYFKhhn47ZoFfmm+ByGVujjQkw8NINkSUJUcqSFs1ZR6vyOt4ikc/U+DPYomGPBfCtQealiNrGQYnOlOd0Cx6I12avagtC2BHNnyKTOun7Me1BJMgwfwfOkqucQSSlzG4554pZ4DRvzNONtDqEKdljnI1ORTp+F98udgEwlRAsuBBMXCwbOwcStkyKBTJiutlBLhphsnoQOFXapKmCSV7lENgnNemggVwWu6M6GKlZKBlS64F83CjeTRR00c6wLCWLMBgsaT7joQ1tqUpQjn3bwMmW4gzuENzXGp+LYW6WEByMTdiBna8moXCU+joeZsKWe4Le8zaGWPRt4inFKA6UUrsVXRDOj1odQ9CYRb3GjIAUnileRl3q6l7Yi/yllR1oS6zEZ77POe0l9+UByPDou3P3zUynVXqYGqSd6WiTplQJkaEJoQPU6lQxpEUsXFI6SA8wqEdkFG6aSPR3OItQvIT+yE36QeZvRZtAyWHcmzF1df9PZweHScnEE2SDMNVM0tC4jBYxLjcdVuk6tLVNAX9rUxd+7tqwJhBRyZ+bD57BoUl2FsARgY6EaVFvVagMaRONhg0naqIfVarhzAcetEjiNXlNH09YtOEvIsGyMBfiiG6elT3jMetT3LYN956czP+F+oNNJHcOsjt9T0CyKrz7VfQCGA/e7FP6zG2o+CfORXc+vD4n', 'Hz5uGiF0cgonLiwXm8vQcHPU3nNRvQlr43NQiYZqpilzf6VdZ570Z67vVz0Mrw91DwPLaZ5uTLEwqp/7HczzNQ==', '++IIHVPELGbnp3xBcb6A808zu+1KkWxAH5qCo8gItu+yBOv98TwjytC/JQkWW2RgEXDABQLBCJjIkUgEEKaP/A=='
            Source: Client.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
            Source: WindowsDefender.exe.0.dr, Settings.csBase64 encoded string: 'iRy9eetP9vA+mAVFHnKtwdw1J0BeZQ/7ZnbPj1i2gcg/CaraNQ9P2ZeSlYe7XvCDUwwQT8sV9mGDLAU+q2F2Xw==', 'pfbVhE1H/ODJ5UCbf2rVECW5Mrdwg5pRJ55qgRYMxFitY41YMNRrmhhuKrcbjohBXmicO3zRaLN+AvXUoyRPTGRoXbN/Y3SAL/u26BmZZlo=', 'TWC6nJEl6GEDESMbY2s4aTfHxmbIqV00+U/dc/nyNZNDL/woynPNEGYoxCP+ZQPzxujjQvN+sciwGW0i8/xk+Q==', 'TENy8+9t/lGmmjILf0drwFqz9Znwolx1zzO8U1rAjsQ175yf/pRyprsQ4Y82SGMmuf0sC4BrrL9CJOY05PxnU9Ef5EQY/8ZAY48mmnD0uheQYEjkbAGhKDiENKMNRZURQIQQJHVKSdgF19CLHxAWK4huFjfG1q3/KPdDtoJKbDQKl6Z1y5PZbokOAfH9oIei68XqppLfrlJCZavP9hK8Y4epTtXe+w5fAnouvGAy7eNDbnt6oUrp5b2H9fKdTTZd9gKqZdUSdsaL2u6hA3l6WlD/QdwMmKXj0kxJJoffp7+nkt5ttWg8x++OWE7TWILFjTe41sD3sZ2fnDOOOmRY5be57DuyxFewaoZ/kT5YsKMvZHuKlFYuTuevEuOg/4yNlMuZifKYCofYFKhhn47ZoFfmm+ByGVujjQkw8NINkSUJUcqSFs1ZR6vyOt4ikc/U+DPYomGPBfCtQealiNrGQYnOlOd0Cx6I12avagtC2BHNnyKTOun7Me1BJMgwfwfOkqucQSSlzG4554pZ4DRvzNONtDqEKdljnI1ORTp+F98udgEwlRAsuBBMXCwbOwcStkyKBTJiutlBLhphsnoQOFXapKmCSV7lENgnNemggVwWu6M6GKlZKBlS64F83CjeTRR00c6wLCWLMBgsaT7joQ1tqUpQjn3bwMmW4gzuENzXGp+LYW6WEByMTdiBna8moXCU+joeZsKWe4Le8zaGWPRt4inFKA6UUrsVXRDOj1odQ9CYRb3GjIAUnileRl3q6l7Yi/yllR1oS6zEZ77POe0l9+UByPDou3P3zUynVXqYGqSd6WiTplQJkaEJoQPU6lQxpEUsXFI6SA8wqEdkFG6aSPR3OItQvIT+yE36QeZvRZtAyWHcmzF1df9PZweHScnEE2SDMNVM0tC4jBYxLjcdVuk6tLVNAX9rUxd+7tqwJhBRyZ+bD57BoUl2FsARgY6EaVFvVagMaRONhg0naqIfVarhzAcetEjiNXlNH09YtOEvIsGyMBfiiG6elT3jMetT3LYN956czP+F+oNNJHcOsjt9T0CyKrz7VfQCGA/e7FP6zG2o+CfORXc+vD4n', 'Hz5uGiF0cgonLiwXm8vQcHPU3nNRvQlr43NQiYZqpilzf6VdZ570Z67vVz0Mrw91DwPLaZ5uTLEwqp/7HczzNQ==', '++IIHVPELGbnp3xBcb6A808zu+1KkWxAH5qCo8gItu+yBOv98TwjytC/JQkWW2RgEXDABQLBCJjIkUgEEKaP/A=='
            Source: WindowsDefender.exe.0.dr, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, Settings.csBase64 encoded string: 'iRy9eetP9vA+mAVFHnKtwdw1J0BeZQ/7ZnbPj1i2gcg/CaraNQ9P2ZeSlYe7XvCDUwwQT8sV9mGDLAU+q2F2Xw==', 'pfbVhE1H/ODJ5UCbf2rVECW5Mrdwg5pRJ55qgRYMxFitY41YMNRrmhhuKrcbjohBXmicO3zRaLN+AvXUoyRPTGRoXbN/Y3SAL/u26BmZZlo=', 'TWC6nJEl6GEDESMbY2s4aTfHxmbIqV00+U/dc/nyNZNDL/woynPNEGYoxCP+ZQPzxujjQvN+sciwGW0i8/xk+Q==', 'TENy8+9t/lGmmjILf0drwFqz9Znwolx1zzO8U1rAjsQ175yf/pRyprsQ4Y82SGMmuf0sC4BrrL9CJOY05PxnU9Ef5EQY/8ZAY48mmnD0uheQYEjkbAGhKDiENKMNRZURQIQQJHVKSdgF19CLHxAWK4huFjfG1q3/KPdDtoJKbDQKl6Z1y5PZbokOAfH9oIei68XqppLfrlJCZavP9hK8Y4epTtXe+w5fAnouvGAy7eNDbnt6oUrp5b2H9fKdTTZd9gKqZdUSdsaL2u6hA3l6WlD/QdwMmKXj0kxJJoffp7+nkt5ttWg8x++OWE7TWILFjTe41sD3sZ2fnDOOOmRY5be57DuyxFewaoZ/kT5YsKMvZHuKlFYuTuevEuOg/4yNlMuZifKYCofYFKhhn47ZoFfmm+ByGVujjQkw8NINkSUJUcqSFs1ZR6vyOt4ikc/U+DPYomGPBfCtQealiNrGQYnOlOd0Cx6I12avagtC2BHNnyKTOun7Me1BJMgwfwfOkqucQSSlzG4554pZ4DRvzNONtDqEKdljnI1ORTp+F98udgEwlRAsuBBMXCwbOwcStkyKBTJiutlBLhphsnoQOFXapKmCSV7lENgnNemggVwWu6M6GKlZKBlS64F83CjeTRR00c6wLCWLMBgsaT7joQ1tqUpQjn3bwMmW4gzuENzXGp+LYW6WEByMTdiBna8moXCU+joeZsKWe4Le8zaGWPRt4inFKA6UUrsVXRDOj1odQ9CYRb3GjIAUnileRl3q6l7Yi/yllR1oS6zEZ77POe0l9+UByPDou3P3zUynVXqYGqSd6WiTplQJkaEJoQPU6lQxpEUsXFI6SA8wqEdkFG6aSPR3OItQvIT+yE36QeZvRZtAyWHcmzF1df9PZweHScnEE2SDMNVM0tC4jBYxLjcdVuk6tLVNAX9rUxd+7tqwJhBRyZ+bD57BoUl2FsARgY6EaVFvVagMaRONhg0naqIfVarhzAcetEjiNXlNH09YtOEvIsGyMBfiiG6elT3jMetT3LYN956czP+F+oNNJHcOsjt9T0CyKrz7VfQCGA/e7FP6zG2o+CfORXc+vD4n', 'Hz5uGiF0cgonLiwXm8vQcHPU3nNRvQlr43NQiYZqpilzf6VdZ570Z67vVz0Mrw91DwPLaZ5uTLEwqp/7HczzNQ==', '++IIHVPELGbnp3xBcb6A808zu+1KkWxAH5qCo8gItu+yBOv98TwjytC/JQkWW2RgEXDABQLBCJjIkUgEEKaP/A=='
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.Client.exe.2db31b0.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: WindowsDefender.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: WindowsDefender.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: Client.exe, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Client.exe, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@15/5@2/3
            Source: C:\Users\user\Desktop\Client.exeFile created: C:\Users\user\AppData\Roaming\WindowsDefender.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
            Source: C:\Users\user\Desktop\Client.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB214.tmpJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB214.tmp.bat""
            Source: Client.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Client.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Client.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Client.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Client.exeReversingLabs: Detection: 84%
            Source: Client.exeVirustotal: Detection: 75%
            Source: C:\Users\user\Desktop\Client.exeFile read: C:\Users\user\Desktop\Client.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Client.exe C:\Users\user\Desktop\Client.exe
            Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB214.tmp.bat""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsDefender.exe C:\Users\user\AppData\Roaming\WindowsDefender.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\WindowsDefender.exe "C:\Users\user\AppData\Roaming\WindowsDefender.exe"
            Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exitJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB214.tmp.bat""Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\WindowsDefender.exe "C:\Users\user\AppData\Roaming\WindowsDefender.exe" Jump to behavior
            Source: C:\Users\user\Desktop\Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\Client.exeCode function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeCode function: 7_2_00007FFD9B8800BD pushad ; iretd 7_2_00007FFD9B8800C1
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeCode function: 8_2_00007FFD9B8A00BD pushad ; iretd 8_2_00007FFD9B8A00C1
            Source: C:\Users\user\Desktop\Client.exeFile created: C:\Users\user\AppData\Roaming\WindowsDefender.exeJump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Client.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPED
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"'
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Client.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPED
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: Client.exe, WindowsDefender.exe.0.drBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
            Source: C:\Users\user\Desktop\Client.exeMemory allocated: AE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Client.exeMemory allocated: 1A8D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeMemory allocated: C00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeMemory allocated: 1340000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeMemory allocated: 930000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeMemory allocated: 1A420000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Client.exe TID: 7332Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe TID: 7532Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Client.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: WindowsDefender.exe, 00000007.00000002.2917859293.000000001B0D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Client.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Client.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: Client.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
            Source: Client.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: Client.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: Client.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
            Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exitJump to behavior
            Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB214.tmp.bat""Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\WindowsDefender.exe "C:\Users\user\AppData\Roaming\WindowsDefender.exe" Jump to behavior
            Source: C:\Users\user\Desktop\Client.exeQueries volume information: C:\Users\user\Desktop\Client.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsDefender.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WindowsDefender.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsDefender.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Client.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Client.exe.580000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Client.exe.2db31b0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, type: DROPPED
            Source: Client.exe, 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, WindowsDefender.exe.0.drBinary or memory string: MSASCui.exe
            Source: Client.exe, 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, WindowsDefender.exe.0.drBinary or memory string: procexp.exe
            Source: Client.exe, 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, WindowsDefender.exe.0.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7308, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts2
            Scheduled Task/Job            		2
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping211
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Scripting            		2
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Obfuscated Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1394070 Sample: Client.exe Startdate: 18/02/2024 Architecture: WINDOWS Score: 100 32 6.tcp.eu.ngrok.io 2->32 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 9 other signatures 2->46 8 WindowsDefender.exe 2 2->8         started        12 Client.exe 7 2->12         started        signatures3 process4 dnsIp5 34 18.197.239.109, 16234, 49745, 49746 AMAZON-02US United States 8->34 36 6.tcp.eu.ngrok.io 3.69.157.220, 16234, 49730, 49736 AMAZON-02US United States 8->36 38 127.0.0.1 unknown unknown 8->38 48 Antivirus detection for dropped file 8->48 50 Multi AV Scanner detection for dropped file 8->50 52 Machine Learning detection for dropped file 8->52 30 C:\Users\user\AppData\...\WindowsDefender.exe, PE32 12->30 dropped 15 cmd.exe 1 12->15         started        18 cmd.exe 1 12->18         started        file6 signatures7 process8 signatures9 54 Uses schtasks.exe or at.exe to add and modify task schedules 15->54 20 conhost.exe 15->20         started        22 schtasks.exe 1 15->22         started        24 WindowsDefender.exe 3 18->24         started        26 conhost.exe 18->26         started        28 timeout.exe 1 18->28         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Client.exe84%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
            Client.exe100%AviraHEUR/AGEN.1307404
            Client.exe100%Joe Sandbox ML
            Client.exe75%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\WindowsDefender.exe100%AviraHEUR/AGEN.1307404
            C:\Users\user\AppData\Roaming\WindowsDefender.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\WindowsDefender.exe84%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
            C:\Users\user\AppData\Roaming\WindowsDefender.exe75%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            6.tcp.eu.ngrok.io12%VirustotalBrowse

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            6.tcp.eu.ngrok.io
            		3.69.157.220
            		truetrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient.exe, 00000000.00000002.1674383433.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, WindowsDefender.exe, 00000007.00000002.2912950876.0000000002F84000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              18.197.239.109
              		unknownUnited States
              		16509AMAZON-02UStrue
              3.69.157.220
              		6.tcp.eu.ngrok.ioUnited States
              		16509AMAZON-02UStrue

              Private

              IP
              127.0.0.1

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1394070
              Start date and time:2024-02-18 12:00:07 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 36s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:13
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Client.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@15/5@2/3
              EGA Information:
              • Successful, ratio: 33.3%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 47
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target Client.exe, PID 7308 because it is empty
              • Execution Graph export aborted for target WindowsDefender.exe, PID 7552 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              11:01:00Task SchedulerRun new task: WindowsDefender path: "C:\Users\user\AppData\Roaming\WindowsDefender.exe"

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              18.197.239.109zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                  IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                    rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                      30b4CoDmKk.exeGet hashmaliciousNjratBrowse
                        N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                          dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                            bRxR.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                              ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                                d09l64ZAW6.exeGet hashmaliciousNjratBrowse
                                  3.69.157.220YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                    NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                      ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                        1.exeGet hashmaliciousNjratBrowse
                                          226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                            myidJB8lDL.exeGet hashmaliciousNjratBrowse
                                              QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                                                xZLQ8X9Cxo.exeGet hashmaliciousNjratBrowse
                                                  dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                                    bRxR.exeGet hashmaliciousAsyncRAT, DcRatBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      6.tcp.eu.ngrok.ioM5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                                      • 3.68.171.119
                                                      YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                                      • 3.68.171.119
                                                      zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.115.178
                                                      NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.157.220
                                                      ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.157.220
                                                      1.exeGet hashmaliciousNjratBrowse
                                                      • 3.66.38.117
                                                      226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.157.220
                                                      IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                                                      • 3.66.38.117
                                                      Terraria.exeGet hashmaliciousNjratBrowse
                                                      • 3.66.38.117
                                                      myidJB8lDL.exeGet hashmaliciousNjratBrowse
                                                      • 3.69.115.178

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AMAZON-02USSecuriteInfo.com.Trojan.GenericKDZ.105649.13827.32664.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 44.240.103.52
                                                      olMNutIxCR.elfGet hashmaliciousMiraiBrowse
                                                      • 34.249.145.219
                                                      SecuriteInfo.com.Trojan.GenericKDZ.105649.30549.11143.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 13.226.34.9
                                                      Au7iqS4S75.elfGet hashmaliciousMiraiBrowse
                                                      • 44.249.140.61
                                                      SecuriteInfo.com.Trojan.GenericKDZ.105649.15764.2812.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 44.237.193.248
                                                      SecuriteInfo.com.Trojan.GenericKDZ.105649.26510.19959.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 54.201.250.14
                                                      most-arm7-20240218-0708.elfGet hashmaliciousMiraiBrowse
                                                      • 54.171.230.55
                                                      SecuriteInfo.com.Win32.TrojanX-gen.12596.20471.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 13.226.34.75
                                                      SecuriteInfo.com.Variant.Ser.Zusy.4878.18518.2249.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 44.240.103.52
                                                      vQh7KpJf5Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 13.226.34.86
                                                      AMAZON-02USSecuriteInfo.com.Trojan.GenericKDZ.105649.13827.32664.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 44.240.103.52
                                                      olMNutIxCR.elfGet hashmaliciousMiraiBrowse
                                                      • 34.249.145.219
                                                      SecuriteInfo.com.Trojan.GenericKDZ.105649.30549.11143.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 13.226.34.9
                                                      Au7iqS4S75.elfGet hashmaliciousMiraiBrowse
                                                      • 44.249.140.61
                                                      SecuriteInfo.com.Trojan.GenericKDZ.105649.15764.2812.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 44.237.193.248
                                                      SecuriteInfo.com.Trojan.GenericKDZ.105649.26510.19959.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 54.201.250.14
                                                      most-arm7-20240218-0708.elfGet hashmaliciousMiraiBrowse
                                                      • 54.171.230.55
                                                      SecuriteInfo.com.Win32.TrojanX-gen.12596.20471.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 13.226.34.75
                                                      SecuriteInfo.com.Variant.Ser.Zusy.4878.18518.2249.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 44.240.103.52
                                                      vQh7KpJf5Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                      • 13.226.34.86

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Client.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):425
                                                      Entropy (8bit):5.357964438493834
                                                      Encrypted:false
                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                      MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                      SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                      SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                      SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsDefender.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\WindowsDefender.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):425
                                                      Entropy (8bit):5.357964438493834
                                                      Encrypted:false
                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                      MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                      SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                      SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                      SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Temp\tmpB214.tmp.bat

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Client.exe
                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):159
                                                      Entropy (8bit):5.121086766768822
                                                      Encrypted:false
                                                      SSDEEP:3:mKDDCMNqTtvL5ot+kiEaKC59K7Kb4bmqRDt+kiE2J5xAInTRINERlWHVZPy:hWKqTtT6wknaZ5jb4bmq1wkn23fTzjAe
                                                      MD5:5E42C47092C7DFF845432F735AE4F63E
                                                      SHA1:17E33D73A31AC9EE81F4CF68EDC3B529AF7FDE5E
                                                      SHA-256:186594541C157546A7FAF2D99F0F1439A356CC4BC442937B6A956EBD0911CB1D
                                                      SHA-512:A76FB441A78DD063C24E3535D318E92C2BFBDEC15BA61C81DA5F49BE6D85B9B2525445F07E12C38A03D3023506D9997508F0DFB2B7654548E0EDD21D4F29C38D
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\WindowsDefender.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpB214.tmp.bat" /f /q..

                                                      C:\Users\user\AppData\Roaming\WindowsDefender.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Client.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):48640
                                                      Entropy (8bit):5.620646070720839
                                                      Encrypted:false
                                                      SSDEEP:768:59n7mxUzILWCaS+Di1xCKzVixM8YbxgeXP9RavEgK/JXZVc6KN:597AKW1xCGLzb+SPTankJXZVclN
                                                      MD5:304D41BAAA716A6D582877785F93EF68
                                                      SHA1:A2B16217D6326C54FBD7CA5586519D50CE3E20CA
                                                      SHA-256:760D61C1B76F9A909E2E427ED60C7CC76EBB32246B8AEC5459D882A04482B1EA
                                                      SHA-512:2A1F1859BF1EE1FF3BE5469D44DAF96BA8E6F26E377A6E538E64BE815D4E7EB87911B0CBD2CDDD3135C2F0E6933151FC47F8AEEFA22E7BECFA1BABB8D38F3A41
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: Joe Security
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: unknown
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: ditekSHen
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: ditekSHen
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 84%
                                                      • Antivirus: Virustotal, Detection: 75%, Browse
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........]...m............................................................/.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(B......*2~.....oC...*.s....%r...po....(g...r...p(....o....o....o....( ... ....(....*.s....%r...po....r...po....%r...po.....o....o....( ...*Vs.........sh........*...(,.....(-........(a...(o........*.rY..p(g...rk..p(....o....(...+.!..

                                                      \Device\Null

                                                      Download File
                                                      Process:C:\Windows\System32\timeout.exe
                                                      File Type:ASCII text, with CRLF line terminators, with overstriking
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.41440934524794
                                                      Encrypted:false
                                                      SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                      MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                      SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                      SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                      SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.620646070720839
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:Client.exe
                                                      File size:48'640 bytes
                                                      MD5:304d41baaa716a6d582877785f93ef68
                                                      SHA1:a2b16217d6326c54fbd7ca5586519d50ce3e20ca
                                                      SHA256:760d61c1b76f9a909e2e427ed60c7cc76ebb32246b8aec5459d882a04482b1ea
                                                      SHA512:2a1f1859bf1ee1ff3be5469d44daf96ba8e6f26e377a6e538e64be815d4e7eb87911b0cbd2cddd3135c2f0e6933151fc47f8aeefa22e7becfa1babb8d38f3a41
                                                      SSDEEP:768:59n7mxUzILWCaS+Di1xCKzVixM8YbxgeXP9RavEgK/JXZVc6KN:597AKW1xCGLzb+SPTankJXZVclN
                                                      TLSH:F8235C4037D8C136E2BD4BB4ADF2A2458675D26B2903D69D2CC814AB1F13FC59603AFE
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                                                      File Icon

                                                      Icon Hash:90cececece8e8eb0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x40cbee
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xcb9c0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xabf40xac004539542d6d8fd0790a68697448589032False0.5025208938953488data5.6457900198564825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x100000xc0x2009cc3092cce02ce84ba550db4d081ed6eFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0xe0a00x2d4data0.4350828729281768
                                                      RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 18, 2024 12:01:10.562514067 CET4973016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:10.732001066 CET16234497303.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:11.247665882 CET4973016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:11.417249918 CET16234497303.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:11.919462919 CET4973016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:12.089040041 CET16234497303.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:12.591411114 CET4973016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:12.760931969 CET16234497303.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:13.263267040 CET4973016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:13.435138941 CET16234497303.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:18.815006018 CET4973616234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:18.984210014 CET16234497363.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:19.497529030 CET4973616234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:19.670046091 CET16234497363.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:20.185038090 CET4973616234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:20.354664087 CET16234497363.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:20.856877089 CET4973616234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:21.026032925 CET16234497363.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:21.528768063 CET4973616234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:21.698263884 CET16234497363.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:33.749093056 CET4973816234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:33.917242050 CET16234497383.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:34.419544935 CET4973816234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:34.588121891 CET16234497383.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:35.091598034 CET4973816234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:35.259531021 CET16234497383.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:35.763351917 CET4973816234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:35.932161093 CET16234497383.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:36.435043097 CET4973816234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:36.602920055 CET16234497383.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:41.608120918 CET4973916234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:41.778335094 CET16234497393.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:42.278762102 CET4973916234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:42.449201107 CET16234497393.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:42.950762033 CET4973916234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:43.121272087 CET16234497393.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:43.622596025 CET4973916234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:43.795423985 CET16234497393.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:44.310172081 CET4973916234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:44.480479956 CET16234497393.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:49.485625982 CET4974016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:49.656310081 CET16234497403.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:50.169363976 CET4974016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:50.341094017 CET16234497403.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:50.856870890 CET4974016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:51.027193069 CET16234497403.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:51.528776884 CET4974016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:51.699407101 CET16234497403.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:01:52.200747013 CET4974016234192.168.2.43.69.157.220
                                                      Feb 18, 2024 12:01:52.371457100 CET16234497403.69.157.220192.168.2.4
                                                      Feb 18, 2024 12:02:19.231390953 CET4974516234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:19.399085045 CET162344974518.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:19.903814077 CET4974516234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:20.071485996 CET162344974518.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:20.575750113 CET4974516234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:20.743501902 CET162344974518.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:21.247589111 CET4974516234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:21.415575027 CET162344974518.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:21.919325113 CET4974516234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:22.087258101 CET162344974518.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:27.092572927 CET4974616234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:27.262737036 CET162344974618.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:27.763194084 CET4974616234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:27.933278084 CET162344974618.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:28.434966087 CET4974616234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:28.604775906 CET162344974618.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:29.106828928 CET4974616234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:29.276813030 CET162344974618.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:29.778713942 CET4974616234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:29.948875904 CET162344974618.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:34.952085972 CET4974716234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:35.121758938 CET162344974718.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:35.622730970 CET4974716234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:35.791924000 CET162344974718.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:36.295550108 CET4974716234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:36.464989901 CET162344974718.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:36.966573954 CET4974716234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:37.136157990 CET162344974718.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:37.638353109 CET4974716234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:37.807315111 CET162344974718.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:50.280332088 CET4974916234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:50.448029995 CET162344974918.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:50.950690031 CET4974916234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:51.118983030 CET162344974918.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:51.625435114 CET4974916234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:51.793603897 CET162344974918.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:52.294611931 CET4974916234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:52.462826014 CET162344974918.197.239.109192.168.2.4
                                                      Feb 18, 2024 12:02:52.966537952 CET4974916234192.168.2.418.197.239.109
                                                      Feb 18, 2024 12:02:53.134777069 CET162344974918.197.239.109192.168.2.4

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 18, 2024 12:01:10.464859009 CET5388153192.168.2.41.1.1.1
                                                      Feb 18, 2024 12:01:10.555841923 CET53538811.1.1.1192.168.2.4
                                                      Feb 18, 2024 12:02:19.139513016 CET5945053192.168.2.41.1.1.1
                                                      Feb 18, 2024 12:02:19.230408907 CET53594501.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Feb 18, 2024 12:01:10.464859009 CET192.168.2.41.1.1.10x7f6dStandard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                      Feb 18, 2024 12:02:19.139513016 CET192.168.2.41.1.1.10x85cbStandard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Feb 18, 2024 12:01:10.555841923 CET1.1.1.1192.168.2.40x7f6dNo error (0)6.tcp.eu.ngrok.io3.69.157.220A (IP address)IN (0x0001)false
                                                      Feb 18, 2024 12:02:19.230408907 CET1.1.1.1192.168.2.40x85cbNo error (0)6.tcp.eu.ngrok.io18.197.239.109A (IP address)IN (0x0001)false

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:12:00:55
                                                      Start date:18/02/2024
                                                      Path:C:\Users\user\Desktop\Client.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\Desktop\Client.exe
                                                      Imagebase:0x580000
                                                      File size:48'640 bytes
                                                      MD5 hash:304D41BAAA716A6D582877785F93EF68
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.1674383433.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1645252925.0000000000582000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.1673920516.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.1674383433.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:12:00:58
                                                      Start date:18/02/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"' & exit
                                                      Imagebase:0x7ff72a1c0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:12:00:58
                                                      Start date:18/02/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:12:00:58
                                                      Start date:18/02/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB214.tmp.bat""
                                                      Imagebase:0x7ff72a1c0000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:12:00:58
                                                      Start date:18/02/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:12:00:58
                                                      Start date:18/02/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:schtasks /create /f /sc onlogon /rl highest /tn "WindowsDefender" /tr '"C:\Users\user\AppData\Roaming\WindowsDefender.exe"'
                                                      Imagebase:0x7ff76f990000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:12:00:58
                                                      Start date:18/02/2024
                                                      Path:C:\Windows\System32\timeout.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:timeout 3
                                                      Imagebase:0x7ff64ffe0000
                                                      File size:32'768 bytes
                                                      MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:12:01:00
                                                      Start date:18/02/2024
                                                      Path:C:\Users\user\AppData\Roaming\WindowsDefender.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\AppData\Roaming\WindowsDefender.exe
                                                      Imagebase:0x4b0000
                                                      File size:48'640 bytes
                                                      MD5 hash:304D41BAAA716A6D582877785F93EF68
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.2912950876.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.2911936077.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.2912950876.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: Joe Security
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: unknown
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: ditekSHen
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: ditekSHen
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\WindowsDefender.exe, Author: ditekSHen
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 84%, ReversingLabs
                                                      • Detection: 75%, Virustotal, Browse
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:12:01:01
                                                      Start date:18/02/2024
                                                      Path:C:\Users\user\AppData\Roaming\WindowsDefender.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\WindowsDefender.exe"
                                                      Imagebase:0x7ff71e800000
                                                      File size:48'640 bytes
                                                      MD5 hash:304D41BAAA716A6D582877785F93EF68
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.1718869838.000000000066C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.1719419411.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FFD9B880498 Relevance: 4.1, Strings: 3, Instructions: 383COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: 39e1c8b14de682ed681a025b75349f9365f9ada85199c34068309c920e755cd5
                                                        • Instruction ID: e5214c78fe5a0602ca9a68e3accd0a606c7de9acc2dddad60b85e5d0ab3b76d5
                                                        • Opcode Fuzzy Hash: 39e1c8b14de682ed681a025b75349f9365f9ada85199c34068309c920e755cd5
                                                        • Instruction Fuzzy Hash: 5CB1F757B0E5A64AE32AB3BD78794E92B40DF8163D70901F7D0ED8E0D7EC48248B9295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8804B8 Relevance: 4.1, Strings: 3, Instructions: 367COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: 2b28adae7c5ccd274141593114996d53d95b4a1b4267169c2f54b24509a711dd
                                                        • Instruction ID: 71ed251315c92ae947f4b84193e0e25250186166bd7b89fb7b64a84523b3e147
                                                        • Opcode Fuzzy Hash: 2b28adae7c5ccd274141593114996d53d95b4a1b4267169c2f54b24509a711dd
                                                        • Instruction Fuzzy Hash: CAB1F657B0E5A64AE32AB3BD78794E92F40DF8123D70901F7D0ED8E0D7EC48248B9295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880520 Relevance: 4.1, Strings: 3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: d2b0d2f41c95558a06f5959507eb4b91c7915fe2dd6b459c3e90a7daafb9fa0b
                                                        • Instruction ID: a13d276b57d2fd7b61816cb7e73467411fe5e347828295af8c2807018ddcd344
                                                        • Opcode Fuzzy Hash: d2b0d2f41c95558a06f5959507eb4b91c7915fe2dd6b459c3e90a7daafb9fa0b
                                                        • Instruction Fuzzy Hash: 75910857B0E5A54AE32AB7BD78794E92B40DF8123D70901F7D0ED8B0D3EC58248B8295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880530 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: 03d13702022aeee448caada3f007711578639ef31c07a2dbb63cc6c1b38cef9a
                                                        • Instruction ID: d0ddb42c258f2e29374b6cc2b86ee5788d445e8926477b9797577cd2463ead66
                                                        • Opcode Fuzzy Hash: 03d13702022aeee448caada3f007711578639ef31c07a2dbb63cc6c1b38cef9a
                                                        • Instruction Fuzzy Hash: 14910953B0E5A54AE32AB7BD78794E92F40DF8123D70901F7D0ED8B0D3EC48248B9295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880600 Relevance: 4.0, Strings: 3, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: ad6e4b195cfaf7cdf860163912a47792858707415a742e1e34432269311c3b04
                                                        • Instruction ID: 9d8ec0bdb3596efe6dc627986d86f216139caee866cf1edb3dbd3123cf6d1999
                                                        • Opcode Fuzzy Hash: ad6e4b195cfaf7cdf860163912a47792858707415a742e1e34432269311c3b04
                                                        • Instruction Fuzzy Hash: 1951E753B0F9998FE326E7BC68795E92B80DF9563970901FBC0EDCB193E854244B8345
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880618 Relevance: 4.0, Strings: 3, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: 8374b71c9be41195be67e4fd217750af340fcb805e97616208e9fbc3c326d569
                                                        • Instruction ID: 22841ee4e8baaf35541275814661309a957197eb6dbeee8f9ed4d5af99d46606
                                                        • Opcode Fuzzy Hash: 8374b71c9be41195be67e4fd217750af340fcb805e97616208e9fbc3c326d569
                                                        • Instruction Fuzzy Hash: C1510853B0FA998FE326F7BC68795E92B80DF8563870901FBC0ADCA093EC54644B8345
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880670 Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: 85ff5054997ef1fc7e7f306cc577ee5d6c74f5a4ab46b00223bed382f3074c30
                                                        • Instruction ID: b47e4e80bc9bbd9375282f462a591c5d3bd7ee97fa1afbf56df3f9314e5fd80a
                                                        • Opcode Fuzzy Hash: 85ff5054997ef1fc7e7f306cc577ee5d6c74f5a4ab46b00223bed382f3074c30
                                                        • Instruction Fuzzy Hash: BE512893A0FAD99FE326E77C687D4E93B80DF4562870900FBC0ADCB193EC1464468346
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880718 Relevance: 3.8, Strings: 3, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: O_^2$O_^;$O_^D
                                                        • API String ID: 0-1588794792
                                                        • Opcode ID: 99d44acc3aad7d34ba84ec60b37afb60fccc3f6521812da6b3f97f9faa0d679f
                                                        • Instruction ID: ff5f7cab127a2fe05691a112faa1f6847252c6173ba07acd0a05c41d82b17f72
                                                        • Opcode Fuzzy Hash: 99d44acc3aad7d34ba84ec60b37afb60fccc3f6521812da6b3f97f9faa0d679f
                                                        • Instruction Fuzzy Hash: DD213873B094698FE31AB7AC7CB59E93790DF4422D70500B7D06ECB283EC1464869285
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B882481 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #CO_^
                                                        • API String ID: 0-2320335572
                                                        • Opcode ID: b6f33264f76fbec2e40e8d6dc52280fa4f76bf756981faf82639304cb8a1354f
                                                        • Instruction ID: 190ded9de530a4759348fec9ceb21db31a3e1e6d7c3499f368c9c838df1053a5
                                                        • Opcode Fuzzy Hash: b6f33264f76fbec2e40e8d6dc52280fa4f76bf756981faf82639304cb8a1354f
                                                        • Instruction Fuzzy Hash: 74E13D30B19D1D8FEB98EBAC8465BBD72E1EF98300F450179E41DD32E6DE28AC428741
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880BB1 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #CO_^
                                                        • API String ID: 0-2320335572
                                                        • Opcode ID: 16a66e3e34fcc16c4411635b09f4e89e961cf9a25a96a9e2f37e72234f285cd6
                                                        • Instruction ID: b9dd6ab23b168666fd5e52150aa9af4e71349a5e2d876c7c759822c95faeb4fb
                                                        • Opcode Fuzzy Hash: 16a66e3e34fcc16c4411635b09f4e89e961cf9a25a96a9e2f37e72234f285cd6
                                                        • Instruction Fuzzy Hash: 51519120F2EA1F4BFBB56BE480716BD6292AF49B04F120079E86DD61E7DD3CB9444252
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880DBA Relevance: .2, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7bfdf92498b40a26358199db3526701c596b51c9e00af5ec3c26fafc47043eec
                                                        • Instruction ID: 50bc577f59595e08fb6d219f4e80bddc570786fed6cd16743e6154c8c8debb39
                                                        • Opcode Fuzzy Hash: 7bfdf92498b40a26358199db3526701c596b51c9e00af5ec3c26fafc47043eec
                                                        • Instruction Fuzzy Hash: 0881D170B59E5D8FE799E77890709697BE2EF892007C044BAE019C72DBCE3C990AC751
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B881C48 Relevance: .2, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a028b927a66943e3d346ae26bbbef9944f563bcd3c4064f800d9aea9194fa8b6
                                                        • Instruction ID: e5391b422e5f2118287150813184d8f28a891b46bcff3139a953622fabb8d640
                                                        • Opcode Fuzzy Hash: a028b927a66943e3d346ae26bbbef9944f563bcd3c4064f800d9aea9194fa8b6
                                                        • Instruction Fuzzy Hash: 4D51C321F18D0D4FE798BB6C586ABBC62D2EF9C715B14417AE42DC32DBDD28AC424381
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8807CD Relevance: .2, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da1732c28e8519fdb5e558077c5f5bed16b9467aefdfa50d0d80488acc2a4fe4
                                                        • Instruction ID: cb7870004ac7fecf3e7336f7a1c2d1e239ca05ff5916adf2e75ba0d341ae1cbd
                                                        • Opcode Fuzzy Hash: da1732c28e8519fdb5e558077c5f5bed16b9467aefdfa50d0d80488acc2a4fe4
                                                        • Instruction Fuzzy Hash: 49614926B0EA8E4FE358A76C78B14B87F61EF8921074441F7D46CC72DBDD28684E8752
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B881430 Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c5ba7e2377b0e95a163d79acd13dfc7640b1fb2d59aa9f5de21f345affa2e6b9
                                                        • Instruction ID: c89680205862e2a669bcdd9ded6935ff36ad67cbb5c7e36d870f1656173a8abe
                                                        • Opcode Fuzzy Hash: c5ba7e2377b0e95a163d79acd13dfc7640b1fb2d59aa9f5de21f345affa2e6b9
                                                        • Instruction Fuzzy Hash: AE517521F19D0D4FDBA8FB6C94616B8B3D2EF9C310F454279D05ED3296DE28AD028781
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B881E5D Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5d9ab7f21eadadf9e201f2611a3f3a44349cdc8471bbfc1c6b4f3a22ca221e1f
                                                        • Instruction ID: a2329f7c9178ffee3085c008306517791fd5c7526cf07505b8fc33ca93e57d4e
                                                        • Opcode Fuzzy Hash: 5d9ab7f21eadadf9e201f2611a3f3a44349cdc8471bbfc1c6b4f3a22ca221e1f
                                                        • Instruction Fuzzy Hash: 5B410731F19A8D4FE396EB789468AB97BE1EF89311B4400BAE459C71E6CE245842C741
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B881167 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 037cd322a2994c3ed1b80b74e587d9e6b888f47025bf18b083ad1f2de79c1166
                                                        • Instruction ID: 1128bc934553f558b5f05d12981efe80af7ab41fb9ecd8c5eda1a959091ee88e
                                                        • Opcode Fuzzy Hash: 037cd322a2994c3ed1b80b74e587d9e6b888f47025bf18b083ad1f2de79c1166
                                                        • Instruction Fuzzy Hash: 33219221B1CA454FE748EB68A4157AD77D1EB9C314F00017EE49EC32D6DE3869018786
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8812B5 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 69ceefd66ba4ce08e10983758f83ca35602991b38c266d4e6171324c11d1a88c
                                                        • Instruction ID: acaf0a7261c8dbc6e085cc3b04e677f816ae1526e47d9be4d4d20134a16dc633
                                                        • Opcode Fuzzy Hash: 69ceefd66ba4ce08e10983758f83ca35602991b38c266d4e6171324c11d1a88c
                                                        • Instruction Fuzzy Hash: 6911C620B0EAC90FD347E3785869A657FE1AF4B224B0901E6D09CCF0B3C9584945C342
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B881398 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3ae06f5b66c6b863106d054d3294cd93b370752e9637a1d16ea4882b53c2f9e1
                                                        • Instruction ID: 30345521e6676fbd75f386d4115c0785f881747a6268415ac03fbfe8b28d165c
                                                        • Opcode Fuzzy Hash: 3ae06f5b66c6b863106d054d3294cd93b370752e9637a1d16ea4882b53c2f9e1
                                                        • Instruction Fuzzy Hash: 5911E235B1590D8FDB99EB98C055BE8B7A2EF9C310F540478D01ED76D6CE38A882CB10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B880780 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f54df188f1c9baf8d7314a002aabc9c99b948d13b6a6cfd8d15ca17564d35d22
                                                        • Instruction ID: 427aafd905aa0e0cc3a0ad227d73f3dbfd0c18b2f75845c362555df2e57a60b2
                                                        • Opcode Fuzzy Hash: f54df188f1c9baf8d7314a002aabc9c99b948d13b6a6cfd8d15ca17564d35d22
                                                        • Instruction Fuzzy Hash: BB01B522B098694FE759F37C64E99F927D1DF5822970401B7D06DCB197EC18A8834381
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B882412 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2461c3a90637dd015f941b7b5a2c9505a4002117c4a3b6d124e205b9ee8347f2
                                                        • Instruction ID: 256c2f4961b1046eb29010be0098e6290f4c803e034f2a0cd391b4863192b631
                                                        • Opcode Fuzzy Hash: 2461c3a90637dd015f941b7b5a2c9505a4002117c4a3b6d124e205b9ee8347f2
                                                        • Instruction Fuzzy Hash: 83012051F0EE990BF7A0EBAC58654757BC0EF94250708057ED89CC21E6DD145A854352
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B881273 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b49d0f81be198f1b5945bb42f08df77df7d8d76124f7700e361c11821fdad20
                                                        • Instruction ID: 3bc049cb183c9c520a420904f17da526ccd3dd743813eae73bb9168f13f90890
                                                        • Opcode Fuzzy Hash: 0b49d0f81be198f1b5945bb42f08df77df7d8d76124f7700e361c11821fdad20
                                                        • Instruction Fuzzy Hash: 7DE0E57250DA0C1EAB08A659AC17CF67BA8DA8B274B00005EF19DC2063E15269238255
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8807B8 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c822e3af7cd4c79caf2a3fe7516d98234708b6a322821cc0dcca397237376c33
                                                        • Instruction ID: 5810dc6d0ae5342aa8b01b62251843106258d1b8d043052236ce7585ffa01141
                                                        • Opcode Fuzzy Hash: c822e3af7cd4c79caf2a3fe7516d98234708b6a322821cc0dcca397237376c33
                                                        • Instruction Fuzzy Hash: 68E09B21B15C1D4FE7A4F76D4499F7952D1EB9C32171101B6E41CC72AADD289C818381
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8829CF Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1677688542.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b880000_Client.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 30a1774a00216cc236f99c7f8d027c7812f862d7cc57758ec82a01682d7cc234
                                                        • Instruction ID: b3fb56356438cf45b2834a347ee1d5acebeb5fa1f6dd0df0402320cb8b249dc3
                                                        • Opcode Fuzzy Hash: 30a1774a00216cc236f99c7f8d027c7812f862d7cc57758ec82a01682d7cc234
                                                        • Instruction Fuzzy Hash: EBE0263290A94C5BCA64AA9AAC606CA3BA8FB89318F01021AE55CC7141E6225651C381
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:27.2%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:6
                                                        Total number of Limit Nodes:0
                                                        execution_graph 2344 7ffd9b8833f1 2345 7ffd9b8833fb LoadLibraryA 2344->2345 2347 7ffd9b8834e2 2345->2347 2348 7ffd9b88374d 2349 7ffd9b88375b VirtualProtect 2348->2349 2351 7ffd9b88383b 2349->2351

                                                        Executed Functions

                                                        Function 00007FFD9B880600 Relevance: 2.0, Strings: 1, Instructions: 730COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 353 7ffd9b880600-7ffd9b883b52 361 7ffd9b883d91-7ffd9b883da1 353->361 362 7ffd9b883b58-7ffd9b883bfd 353->362 365 7ffd9b883da3-7ffd9b883dba call 7ffd9b881a98 361->365 391 7ffd9b883cc3 362->391 392 7ffd9b883c03-7ffd9b883cb0 362->392 372 7ffd9b883dbc-7ffd9b883dd2 365->372 373 7ffd9b883dd4-7ffd9b883de5 372->373 374 7ffd9b883de7-7ffd9b883df0 372->374 377 7ffd9b883df8-7ffd9b883e14 373->377 374->377 383 7ffd9b883e29-7ffd9b883e2e 377->383 384 7ffd9b883e16-7ffd9b883e27 377->384 387 7ffd9b883e35-7ffd9b883e9b call 7ffd9b881aa8 call 7ffd9b881ab8 383->387 384->387 408 7ffd9b883f22 387->408 409 7ffd9b883ea1 387->409 395 7ffd9b883cc8-7ffd9b883cef 391->395 392->391 437 7ffd9b883cb2-7ffd9b883cbd 392->437 412 7ffd9b883cf1-7ffd9b883cff 395->412 414 7ffd9b883f27-7ffd9b883f4f 408->414 413 7ffd9b883ea2-7ffd9b883eba 409->413 419 7ffd9b883d01-7ffd9b883d1b 412->419 420 7ffd9b883d75-7ffd9b883d8c 412->420 423 7ffd9b883ebc-7ffd9b883eed 413->423 445 7ffd9b883f51-7ffd9b883f68 call 7ffd9b8842e5 414->445 429 7ffd9b883f69-7ffd9b883f7a 419->429 430 7ffd9b883d21-7ffd9b883d3c 419->430 420->429 423->408 449 7ffd9b883eef-7ffd9b883f1b 423->449 438 7ffd9b8842a1-7ffd9b8842b4 429->438 439 7ffd9b883f80-7ffd9b883f9a 429->439 435 7ffd9b883d44-7ffd9b883d55 430->435 447 7ffd9b883d5c-7ffd9b883d6e 435->447 448 7ffd9b883d57 435->448 437->395 441 7ffd9b883cbf-7ffd9b883cc1 437->441 455 7ffd9b883fa1-7ffd9b883fba call 7ffd9b881ac8 439->455 441->412 445->429 447->430 452 7ffd9b883d70 447->452 448->429 449->414 457 7ffd9b883f1d-7ffd9b883f20 449->457 452->429 461 7ffd9b883fbc-7ffd9b88406e call 7ffd9b881ad8 455->461 457->445 461->391 473 7ffd9b884074-7ffd9b88411d call 7ffd9b881a88 call 7ffd9b880628 461->473 484 7ffd9b88411e-7ffd9b884123 473->484 484->484 485 7ffd9b884125-7ffd9b88412f 484->485 487 7ffd9b884130-7ffd9b88414b 485->487 491 7ffd9b88414d-7ffd9b8841c8 call 7ffd9b882e70 487->491 501 7ffd9b8841cb-7ffd9b8841ef 491->501 502 7ffd9b884219-7ffd9b88424b call 7ffd9b882e70 491->502 508 7ffd9b8841f0-7ffd9b8841f5 501->508 502->438 508->508 510 7ffd9b8841f7-7ffd9b884215 508->510 510->502
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.2919983150.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b880000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ,
                                                        • API String ID: 0-3772416878
                                                        • Opcode ID: b472cd170deea2a1ad5c474c91f671068efd40774ad7a110607ad6ea2dc7f8dd
                                                        • Instruction ID: e13d27934755eecd188eec1b712d681aeae2b6e01c64d974fcf416b6cb3c82bc
                                                        • Opcode Fuzzy Hash: b472cd170deea2a1ad5c474c91f671068efd40774ad7a110607ad6ea2dc7f8dd
                                                        • Instruction Fuzzy Hash: A832F831B19D0A4FE7A8EB68946567973E2FFA8350F544179E02EC32D6DE38AC428741
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8833F1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 781 7ffd9b8833f1-7ffd9b8834e0 LoadLibraryA 787 7ffd9b8834e2 781->787 788 7ffd9b8834e8-7ffd9b883541 call 7ffd9b883542 781->788 787->788
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.2919983150.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b880000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: d32796ccf378e5b5595da4d5607ed28b5736e6f8fef49c0f5c7a722d6b51db28
                                                        • Instruction ID: 37a985cd293b8b81e35d2afda1e6b8700684392d92c93a844255518d1db26d06
                                                        • Opcode Fuzzy Hash: d32796ccf378e5b5595da4d5607ed28b5736e6f8fef49c0f5c7a722d6b51db28
                                                        • Instruction Fuzzy Hash: 25417D70A08A1C8FDB98EF98D855BE9BBF1FF99310F0041AAD04DD7292CA34A841CB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B88374D Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 794 7ffd9b88374d-7ffd9b883759 795 7ffd9b883764-7ffd9b883773 794->795 796 7ffd9b88375b-7ffd9b883763 794->796 797 7ffd9b88377e-7ffd9b883839 VirtualProtect 795->797 798 7ffd9b883775-7ffd9b88377d 795->798 796->795 803 7ffd9b883841-7ffd9b883869 797->803 804 7ffd9b88383b 797->804 798->797 804->803
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.2919983150.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_7ffd9b880000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: e05382dd9844d1ae07b60914f6962b7f92e820bdca6d196ecb10fa3291589a68
                                                        • Instruction ID: f5c3e4293ed699f1be2efd9d6c16a35f3b9ba5c3ac37fc0c3d3891f5f827ebdc
                                                        • Opcode Fuzzy Hash: e05382dd9844d1ae07b60914f6962b7f92e820bdca6d196ecb10fa3291589a68
                                                        • Instruction Fuzzy Hash: 9741083190DB888FDB199BA89C566E97FE0EF56321F0442AFE099C3192DA746406C786
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 00007FFD9B8A0498 Relevance: 4.1, Strings: 3, Instructions: 383COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: 6e298917a69972debfa1bf56e534735cf08005e4b748a383dd6be0b8c52b988e
                                                        • Instruction ID: 986c2d4056fe6e79180530b8ca68b27b979c3cd2ea1bbdff2e8497ff56f994b6
                                                        • Opcode Fuzzy Hash: 6e298917a69972debfa1bf56e534735cf08005e4b748a383dd6be0b8c52b988e
                                                        • Instruction Fuzzy Hash: 3FB1E653B0E5AA5AE31BB7BCB8794E93B50DF4263C70942F7D0DD8A0D3EC49204B9295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A04B8 Relevance: 4.1, Strings: 3, Instructions: 367COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: 8a44a400bf50d2cd3a45fd45edd05ff539fc3406a93308bc6d4b1427abb41b56
                                                        • Instruction ID: e7dfd82dd219a51e4af46078968fa37ea35e9be52639618e3ebe350a834cecee
                                                        • Opcode Fuzzy Hash: 8a44a400bf50d2cd3a45fd45edd05ff539fc3406a93308bc6d4b1427abb41b56
                                                        • Instruction Fuzzy Hash: 8DB1D453B0E5AA5AE31AB7BCB8794E93B50DF4263C70942F7D0DD8A0D3EC48204B9295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0520 Relevance: 4.1, Strings: 3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: a1a1d50aeb12c85b1006177220c17052ed81f58307319efbe54c1a45b4d22b08
                                                        • Instruction ID: 1790d1e1e6d2fb5407405879575f0c354edda1591961c38bfbd09366187eff26
                                                        • Opcode Fuzzy Hash: a1a1d50aeb12c85b1006177220c17052ed81f58307319efbe54c1a45b4d22b08
                                                        • Instruction Fuzzy Hash: A991F753B0E5A95AE31AB7BCB8794E93B50DF5263C70902F7D0DC8B0D3EC48204B9295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0530 Relevance: 4.1, Strings: 3, Instructions: 309COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: 71f3794750d79f5158271055726aae05da8e54898a4bee23d33f335d64f34693
                                                        • Instruction ID: c570eb5b0c87999b13a882b1291fea034ae1a7d48e4239cf52400dbeb5d294b5
                                                        • Opcode Fuzzy Hash: 71f3794750d79f5158271055726aae05da8e54898a4bee23d33f335d64f34693
                                                        • Instruction Fuzzy Hash: 4291E653B0E5A95AE31AB7BCB8794E93B90DF4263C70942F7D0DD8A0D3EC49204B9295
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0600 Relevance: 4.0, Strings: 3, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: 93aee36fcea2286ff1fc8b8af67caa6fa315fcc56b1212d20a60b625f640f866
                                                        • Instruction ID: 811426288682f902eb06ebdce4223e710462814a9041982cbfc6bcf9c39ee37a
                                                        • Opcode Fuzzy Hash: 93aee36fcea2286ff1fc8b8af67caa6fa315fcc56b1212d20a60b625f640f866
                                                        • Instruction Fuzzy Hash: 5151E853B0E5A98AE716A7BCA8795E93B90DF5562C70902FBC0DCCB0D3EC48644B8255
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0618 Relevance: 4.0, Strings: 3, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: 94b87ca2f0dda282ce032d942ee16345830de37a02b16308a3c3f5704cdbbe4a
                                                        • Instruction ID: a5d2d8fddd38a6d458a19b4ac21cbae9410a6fa513bbd91683a4a1abcbdb8f9a
                                                        • Opcode Fuzzy Hash: 94b87ca2f0dda282ce032d942ee16345830de37a02b16308a3c3f5704cdbbe4a
                                                        • Instruction Fuzzy Hash: 54511953B0E6A98AE316A7BCA8795E93B90DF5563C70902FBC09CCB0D3FC48644B8355
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0670 Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: 6e33717b120e5698bb2671e0ba14a80c9a248a9e2922f56d5f1c8672c05173eb
                                                        • Instruction ID: 4e74939d1bae73f6be720fdcc0d911a95c959897293582f1801cdd55adca397d
                                                        • Opcode Fuzzy Hash: 6e33717b120e5698bb2671e0ba14a80c9a248a9e2922f56d5f1c8672c05173eb
                                                        • Instruction Fuzzy Hash: F1511892B0E6E58FE726A77CA87D4E93B90DF5562C70901FBC0ACCB0D3F84464468256
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0718 Relevance: 3.8, Strings: 3, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: M_^2$M_^;$M_^D
                                                        • API String ID: 0-992096520
                                                        • Opcode ID: db714aa4c7e151aceb98a802e79b0460e03e026ee771cf4b4162457b909369b9
                                                        • Instruction ID: 256ae81d58c561e7f77627c6b679be6d600ab0f7dd3507afad5dca3af49a7541
                                                        • Opcode Fuzzy Hash: db714aa4c7e151aceb98a802e79b0460e03e026ee771cf4b4162457b909369b9
                                                        • Instruction Fuzzy Hash: 46210572B084698FE31AB7AC78A99E937D0DF4422C70502B7D05CCB1C3FC18A4869695
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0BB1 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #CM_^
                                                        • API String ID: 0-2311673530
                                                        • Opcode ID: 8cb2e5a70415d888cbdd0706f4f67d1ffd37a309ca493db3537f584b800edef2
                                                        • Instruction ID: 026dd13ce27a87d7140401077923e9943eb029cf36217c5a72ecfd0042a7850d
                                                        • Opcode Fuzzy Hash: 8cb2e5a70415d888cbdd0706f4f67d1ffd37a309ca493db3537f584b800edef2
                                                        • Instruction Fuzzy Hash: 6A51BF20F2E62F4AFBB977E580716BD5290AF4CB04F130079E84E961E7DD1CBA4442B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A20C2 Relevance: .5, Instructions: 472COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b0ed5f5a0c4013f6129d829a51b295a13568db1c7e4b0fd5eb9b55ec9472e41
                                                        • Instruction ID: ef4e214644416455b3d4aa9ba982c97a411a080fc5fafb5710187650d7321772
                                                        • Opcode Fuzzy Hash: 0b0ed5f5a0c4013f6129d829a51b295a13568db1c7e4b0fd5eb9b55ec9472e41
                                                        • Instruction Fuzzy Hash: 56012651B0E7840FE7A6AB6858754357FE1DF9614070D00EBE489C70F3DC08998583A2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0DBA Relevance: .2, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 99948b7c0f8cf10004e7c66831cd415e9202efd1087a79e7448794ddf30a4ef2
                                                        • Instruction ID: 091557d222cf7dc8d3a6bc80a169b6913d48a4b48fb4899bdafa3193fef26ca9
                                                        • Opcode Fuzzy Hash: 99948b7c0f8cf10004e7c66831cd415e9202efd1087a79e7448794ddf30a4ef2
                                                        • Instruction Fuzzy Hash: E081D570B59A494FDB9DE779A0719697FE2EF892107C144B4E00EC729BCD39E802C781
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A1C48 Relevance: .2, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 97d28542e1735dbe7d7505a63384b4acc8c9d3df3b375e75db7fa705d75238d8
                                                        • Instruction ID: 6badb0e005d4ef5a80c09dd53a5401e802ea08e7b3a61bb9186753799dc9c17a
                                                        • Opcode Fuzzy Hash: 97d28542e1735dbe7d7505a63384b4acc8c9d3df3b375e75db7fa705d75238d8
                                                        • Instruction Fuzzy Hash: 7B51E621F18D0E4FE798FB6C586A7BC62D2EF99711B1441BAE45DC32DBDD28AC428341
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A142F Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 15d2026b05857c9dd01106e72704aee51be465f6e422839ec5eeec041ae6212e
                                                        • Instruction ID: 18d6b74a40135f2d1e59e48977775afa6a8b9f20c7799de208f952c2715d8d36
                                                        • Opcode Fuzzy Hash: 15d2026b05857c9dd01106e72704aee51be465f6e422839ec5eeec041ae6212e
                                                        • Instruction Fuzzy Hash: 35519621F19D0D4FDBA8FB6C94616B873D2EF9D750F450279E41ED3296DE28AC028390
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A07CD Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a2039f5b70584c17b367f7fe037035b4a224a5dc4e1329d7dd7d6018bca3f674
                                                        • Instruction ID: a2f1872876243aace10713855d820d5b1ca335f4865a1d822edb2246329c469b
                                                        • Opcode Fuzzy Hash: a2039f5b70584c17b367f7fe037035b4a224a5dc4e1329d7dd7d6018bca3f674
                                                        • Instruction Fuzzy Hash: F0615422B0E98A4FE32DA76D78B55B87F61EF8961078540F6D05DC32DBDC24B8028392
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A1E5D Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 488f5f6db47328ba871fa94c72d5d41daa98c33fffb0e78a0952ef65ec6d2c91
                                                        • Instruction ID: bc7d50b4526013145d289a69c8afb750263959513066bec04de6b9d445c07e5e
                                                        • Opcode Fuzzy Hash: 488f5f6db47328ba871fa94c72d5d41daa98c33fffb0e78a0952ef65ec6d2c91
                                                        • Instruction Fuzzy Hash: A1412F31F19A8D4FD359F77898645B97BE1EF8A311B4500BAE44DC71E7CD249841C741
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A1167 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4d2551610d159d9442da9eab2d9323f7f6b913986461b89d5602ff527c2f4e32
                                                        • Instruction ID: 28870f752b1e4811d5d10077b75a73752e799eaecca566d81e54335469d08804
                                                        • Opcode Fuzzy Hash: 4d2551610d159d9442da9eab2d9323f7f6b913986461b89d5602ff527c2f4e32
                                                        • Instruction Fuzzy Hash: 03219231B1CA494FEB4CEB68A4257AD77D1EB99314F00017DE44EC32D6DE28A9018786
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A12B5 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a916b6b84c52287bb869c91d45ca6c31beb37757e8e7762201a15af237043bd2
                                                        • Instruction ID: 0a0e3b2c03d107ff57f630c4bd7fce37e3b0daa774a179d2a75867dd25952786
                                                        • Opcode Fuzzy Hash: a916b6b84c52287bb869c91d45ca6c31beb37757e8e7762201a15af237043bd2
                                                        • Instruction Fuzzy Hash: 3711C620B0EAC90FD347E3785869AA53FE1AF4B225B0901E6D08CCB0B3D9588945C352
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A1398 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3fe07aec5f55c29a43ecd5f6dff9b39fdf8ddd4ea11056105570913163b91249
                                                        • Instruction ID: bbaa3e54d32f19379d29ddf2cc84eca44a3715cd2cd98a1cd32f5584d388c67c
                                                        • Opcode Fuzzy Hash: 3fe07aec5f55c29a43ecd5f6dff9b39fdf8ddd4ea11056105570913163b91249
                                                        • Instruction Fuzzy Hash: 5811CE35B1590D8FDB99EB98C065AE8B7A2EF9D310F540178D00EE36D5CE28A882CB10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A0780 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ff5812e1f9e34c6c385c4f1110e2eda793c5a4e54bd8d5eaf9eaf6e53fe90447
                                                        • Instruction ID: 2e543d2167b0103bf8dce6e9876b5ce456ba67fac28bf241afe49624f1990279
                                                        • Opcode Fuzzy Hash: ff5812e1f9e34c6c385c4f1110e2eda793c5a4e54bd8d5eaf9eaf6e53fe90447
                                                        • Instruction Fuzzy Hash: 8C01F522B098695FE759F37C64A99F927D1DF5822870401B3D05CC7197EC14A8838381
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A1273 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc2c5c3c024a5f46eb71d1fbc151bd05c03e066389e4bb7ae62b1ca0de6ad249
                                                        • Instruction ID: 5eea6144b1950db46f6f2b70595e9f46af3842316ec6c4cf1ef9f84aff6290cd
                                                        • Opcode Fuzzy Hash: bc2c5c3c024a5f46eb71d1fbc151bd05c03e066389e4bb7ae62b1ca0de6ad249
                                                        • Instruction Fuzzy Hash: 3AE0E57250DA0C1EAB08A659AC17CF67BA8DA8B274B00015EF19DC2063F1526523C255
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00007FFD9B8A07B8 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1722776085.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_7ffd9b8a0000_WindowsDefender.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42a1643d2d70cad64b03173c34eddc9d760f25b8d93b845323c019341d821a44
                                                        • Instruction ID: 76da0de1871e44da05016123231f8fa468382f31cb1db56cb5b559173393c23d
                                                        • Opcode Fuzzy Hash: 42a1643d2d70cad64b03173c34eddc9d760f25b8d93b845323c019341d821a44
                                                        • Instruction Fuzzy Hash: E0E09B21B15C1D4FE794F76D4499F7952D1EB9C21171101B6E40CC72AADC18DC818391
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%