Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
client.exe

Overview

General Information

Sample name:client.exe
Analysis ID:1502288
MD5:3fdaf7d43edcbf138a3f282199a0a576
SHA1:66f799325fb310bc4e3c810433a53b31256fe6cd
SHA256:876d061cbbf6c1a4a8cdcfbdbdf5ef74e25476e5da77e502eb586eba8a871ac0
Tags:asyncratexe
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • client.exe (PID: 5248 cmdline: "C:\Users\user\Desktop\client.exe" MD5: 3FDAF7D43EDCBF138A3F282199A0A576)
    • cmd.exe (PID: 6948 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6300 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 5624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA640.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 3376 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • Defender_procesed.exe (PID: 5632 cmdline: "C:\Users\user\AppData\Roaming\Defender_procesed.exe" MD5: 3FDAF7D43EDCBF138A3F282199A0A576)
  • Defender_procesed.exe (PID: 6404 cmdline: C:\Users\user\AppData\Roaming\Defender_procesed.exe MD5: 3FDAF7D43EDCBF138A3F282199A0A576)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "193.233.74.21", "Ports": "7777", "Version": "1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Defender_procesed.exe", "AES_key": "sP48QSay4lIcCh5wtcyw6wMTrOXpM5eO", "Mutex": "DcRatMutex_qwgsfhgthfhftgd", "Certificate": "MIICMDCCAZmgAwIBAgIVAIAvr+xnAooWELwX+dWiE+A73DCdMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMTAyMzEwNDgwNloXDTM0MDgwMTEwNDgwNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJlW3VdlWo/jLozpSks/CApCj8zc5KTWmgGGennIVe3m6oENa7BB2TnaZb0PsKsCCETsXp5NGHIujqtrWF18KKk+c9+oTWSWY9PF74YiJwZqgnVPBldtmMeewc5+BPSd4oN/E0jzUmQDiMLtkB3oA+hA8GTXVuKl5ivfMXIUYA8nAgMBAAGjMjAwMB0GA1UdDgQWBBRB9bjiYs2uSWB2a8sKS5WJNZP9oDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG4ZU968oJuJ3luZR3ImPFAjZCS9b7hHx9m+Idb/zhiEB1EahbfF9ayo1MdHntzTSlsOXR/n/iFutfE7uBdHfM0jgf/Cq29h+XCxwqWoToiLSiq/kMhxMzExiANI2LYs3qRdmOw9C6w1tLdBbDXCg/gwup/QCBHY+oCrhZ2RTm4K", "ServerSignature": "hdfxig1SxinCkdw8JJZKMtMtKB4dMrzycak57JOpzUaoOQXqLNOWP/Yw9E41iOO1DEA/u6LlbgQJTBZSBydWyeNUL3ou+LfZ/Uc9Z6FL3YYXS8RZL/1ZdbOuWbx3UIVLApYPBgPV0xHs+LE/S5pjEThUA49lDg9BidB96yMDpcQ=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
client.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    client.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0xd11c:$q1: Select * from Win32_CacheMemory
    • 0xd15c:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0xd1aa:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0xd1f8:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    client.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xd758:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x4d1:$b2: DcRat By qwqdanchun1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Defender_procesed.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\Defender_procesed.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0xd11c:$q1: Select * from Win32_CacheMemory
      • 0xd15c:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0xd1aa:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0xd1f8:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      C:\Users\user\AppData\Roaming\Defender_procesed.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
      • 0xd758:$s1: DcRatBy

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
          00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x7198:$b2: DcRat By qwqdanchun1
          • 0xee3c:$b2: DcRat By qwqdanchun1
          • 0xf08c:$b2: DcRat By qwqdanchun1
          00000009.00000002.2093139250.0000000000D8C000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x61c:$b2: DcRat By qwqdanchun1
          00000000.00000002.2046407660.00000000030B1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x1d38c:$a2: timeout 3 > NUL
          • 0x514d6:$a2: timeout 3 > NUL
          • 0x1d3c4:$a3: START "" "
          • 0x5488:$b1: DcRatByqwqdanchun
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.client.exe.e40000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0.0.client.exe.e40000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
            • 0xd11c:$q1: Select * from Win32_CacheMemory
            • 0xd15c:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
            • 0xd1aa:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
            • 0xd1f8:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
            0.0.client.exe.e40000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
            • 0xd758:$s1: DcRatBy
            0.2.client.exe.36af198.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.2.client.exe.36af198.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
              • 0xd11c:$q1: Select * from Win32_CacheMemory
              • 0xd15c:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
              • 0xd1aa:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
              • 0xd1f8:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
              Click to see the 4 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Invoke-Obfuscation CLIP+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\client.exe", ParentImage: C:\Users\user\Desktop\client.exe, ParentProcessId: 5248, ParentProcessName: client.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit, ProcessId: 6948, ProcessName: cmd.exe
              Sigma detected: Invoke-Obfuscation VAR+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\client.exe", ParentImage: C:\Users\user\Desktop\client.exe, ParentProcessId: 5248, ParentProcessName: client.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit, ProcessId: 6948, ProcessName: cmd.exe
              Sigma detected: Potentially Suspicious Malware Callback Communication
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.233.74.21, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\AppData\Roaming\Defender_procesed.exe, Initiated: true, ProcessId: 6404, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6948, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' , ProcessId: 6300, ProcessName: schtasks.exe

              Suricata Signatures

              Timestamp:2024-08-31T23:03:00.468176+0200
              SID:2842478
              Severity:1
              Source Port:7777
              Destination Port:49704
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-31T23:03:00.468176+0200
              SID:2034847
              Severity:1
              Source Port:7777
              Destination Port:49704
              Protocol:TCP
              Classtype:Domain Observed Used for C2 Detected
              Timestamp:2024-08-31T23:03:00.468176+0200
              SID:2848048
              Severity:1
              Source Port:7777
              Destination Port:49704
              Protocol:TCP
              Classtype:Domain Observed Used for C2 Detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: client.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
              Found malware configuration
              Source: client.exeMalware Configuration Extractor: AsyncRAT {"Server": "193.233.74.21", "Ports": "7777", "Version": "1.0.7", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Defender_procesed.exe", "AES_key": "sP48QSay4lIcCh5wtcyw6wMTrOXpM5eO", "Mutex": "DcRatMutex_qwgsfhgthfhftgd", "Certificate": "MIICMDCCAZmgAwIBAgIVAIAvr+xnAooWELwX+dWiE+A73DCdMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMTAyMzEwNDgwNloXDTM0MDgwMTEwNDgwNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJlW3VdlWo/jLozpSks/CApCj8zc5KTWmgGGennIVe3m6oENa7BB2TnaZb0PsKsCCETsXp5NGHIujqtrWF18KKk+c9+oTWSWY9PF74YiJwZqgnVPBldtmMeewc5+BPSd4oN/E0jzUmQDiMLtkB3oA+hA8GTXVuKl5ivfMXIUYA8nAgMBAAGjMjAwMB0GA1UdDgQWBBRB9bjiYs2uSWB2a8sKS5WJNZP9oDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG4ZU968oJuJ3luZR3ImPFAjZCS9b7hHx9m+Idb/zhiEB1EahbfF9ayo1MdHntzTSlsOXR/n/iFutfE7uBdHfM0jgf/Cq29h+XCxwqWoToiLSiq/kMhxMzExiANI2LYs3qRdmOw9C6w1tLdBbDXCg/gwup/QCBHY+oCrhZ2RTm4K", "ServerSignature": "hdfxig1SxinCkdw8JJZKMtMtKB4dMrzycak57JOpzUaoOQXqLNOWP/Yw9E41iOO1DEA/u6LlbgQJTBZSBydWyeNUL3ou+LfZ/Uc9Z6FL3YYXS8RZL/1ZdbOuWbx3UIVLApYPBgPV0xHs+LE/S5pjEThUA49lDg9BidB96yMDpcQ=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeReversingLabs: Detection: 78%
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeVirustotal: Detection: 74%Perma Link
              Multi AV Scanner detection for submitted file
              Source: client.exeReversingLabs: Detection: 78%
              Source: client.exeVirustotal: Detection: 74%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: client.exeJoe Sandbox ML: detected
              Source: client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 193.233.74.21:7777 -> 192.168.2.5:49704
              Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 193.233.74.21:7777 -> 192.168.2.5:49704
              Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 193.233.74.21:7777 -> 192.168.2.5:49704
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.233.74.21:7777
              Source: Joe Sandbox ViewASN Name: MGNHOST-ASRU MGNHOST-ASRU
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: unknownTCP traffic detected without corresponding DNS query: 193.233.74.21
              Source: Defender_procesed.exe, 00000008.00000002.3259844986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3265329144.000000001B6C3000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: Defender_procesed.exe, 00000008.00000002.3259844986.0000000000FDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ene0895
              Source: client.exe, 00000000.00000002.2046407660.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, client.exe, 00000000.00000002.2046407660.00000000036A6000.00000004.00000800.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.000000000300A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: client.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: client.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: client.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
              Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
              Source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
              Source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
              Source: 00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000009.00000002.2093139250.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000000.00000002.2046407660.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000008.00000002.3259844986.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000008.00000002.3265329144.000000001B6C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000000.00000002.2045845766.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000000.00000002.2046407660.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000008.00000002.3260450714.0000000002CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: 00000009.00000002.2093797285.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: Process Memory Space: Defender_procesed.exe PID: 5632, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPEDMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
              Source: C:\Users\user\Desktop\client.exeCode function: 0_2_00007FF848D931EE NtProtectVirtualMemory,0_2_00007FF848D931EE
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D931EE NtProtectVirtualMemory,8_2_00007FF848D931EE
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 9_2_00007FF848D631C5 NtProtectVirtualMemory,9_2_00007FF848D631C5
              Source: C:\Users\user\Desktop\client.exeCode function: 0_2_00007FF848D931EE0_2_00007FF848D931EE
              Source: C:\Users\user\Desktop\client.exeCode function: 0_2_00007FF848D92A850_2_00007FF848D92A85
              Source: C:\Users\user\Desktop\client.exeCode function: 0_2_00007FF848D92AFD0_2_00007FF848D92AFD
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D931EE8_2_00007FF848D931EE
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D992A68_2_00007FF848D992A6
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D92A858_2_00007FF848D92A85
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D943DD8_2_00007FF848D943DD
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D9A0528_2_00007FF848D9A052
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D92AFD8_2_00007FF848D92AFD
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D9D4CF8_2_00007FF848D9D4CF
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 9_2_00007FF848D631C59_2_00007FF848D631C5
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 9_2_00007FF848D62AFD9_2_00007FF848D62AFD
              Source: client.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: client.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
              Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
              Source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
              Source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
              Source: 00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000009.00000002.2093139250.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000000.00000002.2046407660.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000008.00000002.3259844986.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000008.00000002.3265329144.000000001B6C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000000.00000002.2045845766.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000000.00000002.2046407660.0000000003107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000008.00000002.3260450714.0000000002CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: 00000009.00000002.2093797285.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: Process Memory Space: Defender_procesed.exe PID: 5632, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
              Source: client.exe, Settings.csBase64 encoded string: 'Y3op0SYni0JK8FYsjcqZFnrndAhIUXBKomxC8+3FQRvVl+kQsl0yf4pAc8GeYVsOX8BBwrw5IEdUWU0KIuAUvg==', 'uLuWIT/ZdQV89A9VMa5Wj2tV1b5FyRRTAbJzrUpVculocBD+En+CftY/KwTF1rU6phbzUZ586jEbVzKar6k1zA==', 'kRGw1DoWEH/D+OdyBRAj5CMWfV5VBQFuiYVQ9z9CbLPE9k2eRV4lo/bJ4P95ANU5TklVcbom+MBhcLWkVdRubw==', 'M6vUBOi+AsaiREUmpLmi5KqFqa0qdcJWqg91pygvinwgdAsnuzdhy4iG3NTcopZJVeOCX6HE1vFX+6H96M0YPQ==', 'uoni9bz3QsHiCR1S6WS19/uTQhlVin5KuxVKMGUhagYEihUCQQ7qazGKa1EOI7jmunADcltU+0r0bjTTuWOYDBSxIOdfZOJmZeaXuPNWbMY=', 'ljpdPRfmQ7f1BWSohecPl1SZ4rDRyatgO+ZdWnG/KBCbWuScwXpeg9jn7mUwgTqcexLNmIb98N/8NHXpxBJOSOaPRf1sKjboBKLuRjsVlZzWR/GuGMg6EQysA06thP37lzBbV+QCk6fvhAtf6EQvyryEn5XecorV+2/lEdy+GM2YcsbhESAXnlp6caGaCcDRDe09GdKRFMYJB/smcObP4WfzNmz3l8HJUFsmYVDckMWXt9S3EwAAHNULXqTh0WIjnGm6Z+8DJWVBCPiYrhGsahxdmnYoD3LMJuCF4rRh7TP22U09UxG2wx5gosbaHhnOBAM3i9sdDxyfk0vCSEFjLj37FbfBcQqqWv1imJOx03ERp3lGUAa0AoApdDIFLGPtjllINX+h9eidZdoDk+8yHGFiMlloE90nI7F14uQQ5fKgnsTg9fonrj0+MI+2z6tZnrSHM7eyPm2ICI7asoFDvDpQMZIK6o3V4UYcBlA9p+/kXdSmAF9+gu8l8z0YiHPmfQ/18Fb4NiPnlEM//JgsTn+/d9pHfOTqdDcwsZ4dNpZTFLMoPKqUSYSOeEkE3yGb1Bxs2kfTnFqixwUPbHKI4YhS53W0HeoHBKzI9yPgj3rMNgSVfCXTL3zRF+dJeRorDv+1XT74GqtmU8bSbfyJayosK6lDpOWDWYQ8EYaoPxqMQqnzGc3rrDylUxZ4hmnd2kjJ8mcFb+LEzSpdWTu6tLcCRopm9aQw2jr+zif84y0gPfSaOu8dEYzmxmBY699aqDVi0+kRiRvxVuHLKhXPWf+fISJCf2Zvv9YYohU4OFWxp5l/eAup+4lCU6/cAAeyBlbpyDfs+uNpzBQ03rSckWYJ65veHWpxIgmI1RAkSmHWF+j+LOD9ugVm64G68XQSp/ZSsxegmCUZDmr2HFZdz8U09feGx0rPKK4cRbZSXBvpIK1kRS3yhB59wu5PGaAVHNHSgyg72owOcuHxU7v196fccM4j1SyAGsNoZRly4vtCn9yDecz0QqQOIF5kjZxS8nHixlSTZcP1e5MencaSI94oOsYhAr2+lCsBvGoPCKPhdAhhJzifmKXrnv8OLR29', 'tS7ag1AVDJCkso1qNjPvU66TcYbMa9es6+PoOMYaXogjQ5e8i/laDD7weXh8GhC+WXZyFNGcWCXJYyRyHdGM6AISaZtnHNvYLieLmjktkKCa+DWGHQx1qaQowx1Ri4tTfijraTigr13UbK84zdTudyC/IiHNr07VSw1KADpqqNhgI+wicqiC5RtYUHlPLzi+XHyl1ajP/WfKbHt7SiKt/WOVEk5ZchhNDIvYGYZ05y0fwNO3XE7vRl03t42iCoLmhI8LkYHn8Azz3CBh7ZyRkBVXQciysqRASF996nSzv94=', 'Xb68L+RypjuzwLMMoMuMT+IfdYhCQX4fdzLzjFy6rw9Yzq+gzXxfGfPI5GloVJzcUNQLjAPdAuvPZ3S8eiEbEQ==', 'Is6R+l4XfLD/cwJJR+1XtvScXcXNI/IfJwF/sI3zBTmJ/ocPpndEfvWp+zWymU9kS3gd4NRbeo6fBmbIqPKATg==', 'XXO4uB+zM2SgocWlimOjYSfISV9RwKGBXQyt4HvLDBmkQL3uCuwC29LqL64H8i/fnfR5eA1pjBIqoqvbuaTL4g=='
              Source: Defender_procesed.exe.0.dr, Settings.csBase64 encoded string: 'Y3op0SYni0JK8FYsjcqZFnrndAhIUXBKomxC8+3FQRvVl+kQsl0yf4pAc8GeYVsOX8BBwrw5IEdUWU0KIuAUvg==', 'uLuWIT/ZdQV89A9VMa5Wj2tV1b5FyRRTAbJzrUpVculocBD+En+CftY/KwTF1rU6phbzUZ586jEbVzKar6k1zA==', 'kRGw1DoWEH/D+OdyBRAj5CMWfV5VBQFuiYVQ9z9CbLPE9k2eRV4lo/bJ4P95ANU5TklVcbom+MBhcLWkVdRubw==', 'M6vUBOi+AsaiREUmpLmi5KqFqa0qdcJWqg91pygvinwgdAsnuzdhy4iG3NTcopZJVeOCX6HE1vFX+6H96M0YPQ==', 'uoni9bz3QsHiCR1S6WS19/uTQhlVin5KuxVKMGUhagYEihUCQQ7qazGKa1EOI7jmunADcltU+0r0bjTTuWOYDBSxIOdfZOJmZeaXuPNWbMY=', 'ljpdPRfmQ7f1BWSohecPl1SZ4rDRyatgO+ZdWnG/KBCbWuScwXpeg9jn7mUwgTqcexLNmIb98N/8NHXpxBJOSOaPRf1sKjboBKLuRjsVlZzWR/GuGMg6EQysA06thP37lzBbV+QCk6fvhAtf6EQvyryEn5XecorV+2/lEdy+GM2YcsbhESAXnlp6caGaCcDRDe09GdKRFMYJB/smcObP4WfzNmz3l8HJUFsmYVDckMWXt9S3EwAAHNULXqTh0WIjnGm6Z+8DJWVBCPiYrhGsahxdmnYoD3LMJuCF4rRh7TP22U09UxG2wx5gosbaHhnOBAM3i9sdDxyfk0vCSEFjLj37FbfBcQqqWv1imJOx03ERp3lGUAa0AoApdDIFLGPtjllINX+h9eidZdoDk+8yHGFiMlloE90nI7F14uQQ5fKgnsTg9fonrj0+MI+2z6tZnrSHM7eyPm2ICI7asoFDvDpQMZIK6o3V4UYcBlA9p+/kXdSmAF9+gu8l8z0YiHPmfQ/18Fb4NiPnlEM//JgsTn+/d9pHfOTqdDcwsZ4dNpZTFLMoPKqUSYSOeEkE3yGb1Bxs2kfTnFqixwUPbHKI4YhS53W0HeoHBKzI9yPgj3rMNgSVfCXTL3zRF+dJeRorDv+1XT74GqtmU8bSbfyJayosK6lDpOWDWYQ8EYaoPxqMQqnzGc3rrDylUxZ4hmnd2kjJ8mcFb+LEzSpdWTu6tLcCRopm9aQw2jr+zif84y0gPfSaOu8dEYzmxmBY699aqDVi0+kRiRvxVuHLKhXPWf+fISJCf2Zvv9YYohU4OFWxp5l/eAup+4lCU6/cAAeyBlbpyDfs+uNpzBQ03rSckWYJ65veHWpxIgmI1RAkSmHWF+j+LOD9ugVm64G68XQSp/ZSsxegmCUZDmr2HFZdz8U09feGx0rPKK4cRbZSXBvpIK1kRS3yhB59wu5PGaAVHNHSgyg72owOcuHxU7v196fccM4j1SyAGsNoZRly4vtCn9yDecz0QqQOIF5kjZxS8nHixlSTZcP1e5MencaSI94oOsYhAr2+lCsBvGoPCKPhdAhhJzifmKXrnv8OLR29', 'tS7ag1AVDJCkso1qNjPvU66TcYbMa9es6+PoOMYaXogjQ5e8i/laDD7weXh8GhC+WXZyFNGcWCXJYyRyHdGM6AISaZtnHNvYLieLmjktkKCa+DWGHQx1qaQowx1Ri4tTfijraTigr13UbK84zdTudyC/IiHNr07VSw1KADpqqNhgI+wicqiC5RtYUHlPLzi+XHyl1ajP/WfKbHt7SiKt/WOVEk5ZchhNDIvYGYZ05y0fwNO3XE7vRl03t42iCoLmhI8LkYHn8Azz3CBh7ZyRkBVXQciysqRASF996nSzv94=', 'Xb68L+RypjuzwLMMoMuMT+IfdYhCQX4fdzLzjFy6rw9Yzq+gzXxfGfPI5GloVJzcUNQLjAPdAuvPZ3S8eiEbEQ==', 'Is6R+l4XfLD/cwJJR+1XtvScXcXNI/IfJwF/sI3zBTmJ/ocPpndEfvWp+zWymU9kS3gd4NRbeo6fBmbIqPKATg==', 'XXO4uB+zM2SgocWlimOjYSfISV9RwKGBXQyt4HvLDBmkQL3uCuwC29LqL64H8i/fnfR5eA1pjBIqoqvbuaTL4g=='
              Source: 0.2.client.exe.36af198.1.raw.unpack, Settings.csBase64 encoded string: 'Y3op0SYni0JK8FYsjcqZFnrndAhIUXBKomxC8+3FQRvVl+kQsl0yf4pAc8GeYVsOX8BBwrw5IEdUWU0KIuAUvg==', 'uLuWIT/ZdQV89A9VMa5Wj2tV1b5FyRRTAbJzrUpVculocBD+En+CftY/KwTF1rU6phbzUZ586jEbVzKar6k1zA==', 'kRGw1DoWEH/D+OdyBRAj5CMWfV5VBQFuiYVQ9z9CbLPE9k2eRV4lo/bJ4P95ANU5TklVcbom+MBhcLWkVdRubw==', 'M6vUBOi+AsaiREUmpLmi5KqFqa0qdcJWqg91pygvinwgdAsnuzdhy4iG3NTcopZJVeOCX6HE1vFX+6H96M0YPQ==', 'uoni9bz3QsHiCR1S6WS19/uTQhlVin5KuxVKMGUhagYEihUCQQ7qazGKa1EOI7jmunADcltU+0r0bjTTuWOYDBSxIOdfZOJmZeaXuPNWbMY=', 'ljpdPRfmQ7f1BWSohecPl1SZ4rDRyatgO+ZdWnG/KBCbWuScwXpeg9jn7mUwgTqcexLNmIb98N/8NHXpxBJOSOaPRf1sKjboBKLuRjsVlZzWR/GuGMg6EQysA06thP37lzBbV+QCk6fvhAtf6EQvyryEn5XecorV+2/lEdy+GM2YcsbhESAXnlp6caGaCcDRDe09GdKRFMYJB/smcObP4WfzNmz3l8HJUFsmYVDckMWXt9S3EwAAHNULXqTh0WIjnGm6Z+8DJWVBCPiYrhGsahxdmnYoD3LMJuCF4rRh7TP22U09UxG2wx5gosbaHhnOBAM3i9sdDxyfk0vCSEFjLj37FbfBcQqqWv1imJOx03ERp3lGUAa0AoApdDIFLGPtjllINX+h9eidZdoDk+8yHGFiMlloE90nI7F14uQQ5fKgnsTg9fonrj0+MI+2z6tZnrSHM7eyPm2ICI7asoFDvDpQMZIK6o3V4UYcBlA9p+/kXdSmAF9+gu8l8z0YiHPmfQ/18Fb4NiPnlEM//JgsTn+/d9pHfOTqdDcwsZ4dNpZTFLMoPKqUSYSOeEkE3yGb1Bxs2kfTnFqixwUPbHKI4YhS53W0HeoHBKzI9yPgj3rMNgSVfCXTL3zRF+dJeRorDv+1XT74GqtmU8bSbfyJayosK6lDpOWDWYQ8EYaoPxqMQqnzGc3rrDylUxZ4hmnd2kjJ8mcFb+LEzSpdWTu6tLcCRopm9aQw2jr+zif84y0gPfSaOu8dEYzmxmBY699aqDVi0+kRiRvxVuHLKhXPWf+fISJCf2Zvv9YYohU4OFWxp5l/eAup+4lCU6/cAAeyBlbpyDfs+uNpzBQ03rSckWYJ65veHWpxIgmI1RAkSmHWF+j+LOD9ugVm64G68XQSp/ZSsxegmCUZDmr2HFZdz8U09feGx0rPKK4cRbZSXBvpIK1kRS3yhB59wu5PGaAVHNHSgyg72owOcuHxU7v196fccM4j1SyAGsNoZRly4vtCn9yDecz0QqQOIF5kjZxS8nHixlSTZcP1e5MencaSI94oOsYhAr2+lCsBvGoPCKPhdAhhJzifmKXrnv8OLR29', 'tS7ag1AVDJCkso1qNjPvU66TcYbMa9es6+PoOMYaXogjQ5e8i/laDD7weXh8GhC+WXZyFNGcWCXJYyRyHdGM6AISaZtnHNvYLieLmjktkKCa+DWGHQx1qaQowx1Ri4tTfijraTigr13UbK84zdTudyC/IiHNr07VSw1KADpqqNhgI+wicqiC5RtYUHlPLzi+XHyl1ajP/WfKbHt7SiKt/WOVEk5ZchhNDIvYGYZ05y0fwNO3XE7vRl03t42iCoLmhI8LkYHn8Azz3CBh7ZyRkBVXQciysqRASF996nSzv94=', 'Xb68L+RypjuzwLMMoMuMT+IfdYhCQX4fdzLzjFy6rw9Yzq+gzXxfGfPI5GloVJzcUNQLjAPdAuvPZ3S8eiEbEQ==', 'Is6R+l4XfLD/cwJJR+1XtvScXcXNI/IfJwF/sI3zBTmJ/ocPpndEfvWp+zWymU9kS3gd4NRbeo6fBmbIqPKATg==', 'XXO4uB+zM2SgocWlimOjYSfISV9RwKGBXQyt4HvLDBmkQL3uCuwC29LqL64H8i/fnfR5eA1pjBIqoqvbuaTL4g=='
              Source: Defender_procesed.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: Defender_procesed.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: client.exe, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: client.exe, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.client.exe.36af198.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.client.exe.36af198.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: client.exe, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
              Source: 0.2.client.exe.36af198.1.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
              Source: Defender_procesed.exe.0.dr, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
              Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@0/1
              Source: C:\Users\user\Desktop\client.exeFile created: C:\Users\user\AppData\Roaming\Defender_procesed.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwgsfhgthfhftgd
              Source: C:\Users\user\Desktop\client.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA640.tmpJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA640.tmp.bat""
              Source: client.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: client.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\client.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\client.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: client.exeReversingLabs: Detection: 78%
              Source: client.exeVirustotal: Detection: 74%
              Source: C:\Users\user\Desktop\client.exeFile read: C:\Users\user\Desktop\client.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\client.exe "C:\Users\user\Desktop\client.exe"
              Source: C:\Users\user\Desktop\client.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA640.tmp.bat""
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Defender_procesed.exe C:\Users\user\AppData\Roaming\Defender_procesed.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Defender_procesed.exe "C:\Users\user\AppData\Roaming\Defender_procesed.exe"
              Source: C:\Users\user\Desktop\client.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exitJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA640.tmp.bat""Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Defender_procesed.exe "C:\Users\user\AppData\Roaming\Defender_procesed.exe" Jump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: devenum.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: msdmo.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\client.exeCode function: 0_2_00007FF848D900BD pushad ; iretd 0_2_00007FF848D900C1
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D9BAD8 push E85C9A4Eh; ret 8_2_00007FF848D9BAF9
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 8_2_00007FF848D900BD pushad ; iretd 8_2_00007FF848D900C1
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeCode function: 9_2_00007FF848D600BD pushad ; iretd 9_2_00007FF848D600C1
              Source: C:\Users\user\Desktop\client.exeFile created: C:\Users\user\AppData\Roaming\Defender_procesed.exeJump to dropped file

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: client.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPED
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"'
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: client.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPED
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: client.exe, Defender_procesed.exe.0.drBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
              Source: C:\Users\user\Desktop\client.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\client.exeMemory allocated: 1B0B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeMemory allocated: 1AC40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeMemory allocated: F00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeMemory allocated: 1AAE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\client.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeWindow / User API: threadDelayed 4528Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeWindow / User API: threadDelayed 5326Jump to behavior
              Source: C:\Users\user\Desktop\client.exe TID: 5284Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe TID: 1864Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe TID: 5764Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe TID: 5752Thread sleep count: 4528 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe TID: 5752Thread sleep count: 5326 > 30Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\client.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\client.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Defender_procesed.exe, 00000008.00000002.3265329144.000000001B6C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpM
              Source: Defender_procesed.exe, 00000008.00000002.3259844986.0000000000FDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWion="Uses RsaCryptoServiceProvider to encrypt and decrypt"
              Source: client.exe, 00000000.00000002.2045845766.00000000014B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
              Source: Defender_procesed.exe, 00000008.00000002.3265181822.000000001B598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\client.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\client.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exitJump to behavior
              Source: C:\Users\user\Desktop\client.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA640.tmp.bat""Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Defender_procesed.exe "C:\Users\user\AppData\Roaming\Defender_procesed.exe" Jump to behavior
              Source: Defender_procesed.exe, 00000008.00000002.3265181822.000000001B5B6000.00000004.00000020.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.0000000003076000.00000004.00000800.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: Defender_procesed.exe, 00000008.00000002.3260450714.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.0000000002CBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
              Source: C:\Users\user\Desktop\client.exeQueries volume information: C:\Users\user\Desktop\client.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeQueries volume information: C:\Users\user\AppData\Roaming\Defender_procesed.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeQueries volume information: C:\Users\user\AppData\Roaming\Defender_procesed.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: client.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.client.exe.e40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.client.exe.36af198.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, type: DROPPED
              Source: client.exe, 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, client.exe, 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Defender_procesed.exe.0.drBinary or memory string: MSASCui.exe
              Source: client.exe, 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, client.exe, 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Defender_procesed.exe.0.drBinary or memory string: procexp.exe
              Source: Defender_procesed.exe, 00000008.00000002.3264828058.000000001B510000.00000004.00000020.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3259844986.0000000000FDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: client.exe, 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, client.exe, 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Defender_procesed.exe.0.drBinary or memory string: MsMpEng.exe
              Source: C:\Users\user\AppData\Roaming\Defender_procesed.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected DcRat
              Source: Yara matchFile source: 00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected DcRat
              Source: Yara matchFile source: 00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: client.exe PID: 5248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Defender_procesed.exe PID: 6404, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		2
              Scheduled Task/Job              		12
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Query Registry              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Scheduled Task/Job              		1
              Scripting              		2
              Scheduled Task/Job              		1
              Disable or Modify Tools              		LSASS Memory221
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
              Process Injection              		NTDS31
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
              Obfuscated Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502288 Sample: client.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 10 other signatures 2->41 7 Defender_procesed.exe 1 2 2->7         started        11 client.exe 7 2->11         started        process3 dnsIp4 33 193.233.74.21, 49704, 7777 MGNHOST-ASRU Russian Federation 7->33 43 Antivirus detection for dropped file 7->43 45 Multi AV Scanner detection for dropped file 7->45 47 Machine Learning detection for dropped file 7->47 29 C:\Users\user\...\Defender_procesed.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\...\client.exe.log, CSV 11->31 dropped 14 cmd.exe 1 11->14         started        17 cmd.exe 1 11->17         started        file5 signatures6 process7 signatures8 49 Uses schtasks.exe or at.exe to add and modify task schedules 14->49 19 conhost.exe 14->19         started        21 schtasks.exe 1 14->21         started        23 Defender_procesed.exe 3 17->23         started        25 conhost.exe 17->25         started        27 timeout.exe 1 17->27         started        process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              client.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
              client.exe74%VirustotalBrowse
              client.exe100%AviraHEUR/AGEN.1307453
              client.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Defender_procesed.exe100%AviraHEUR/AGEN.1307453
              C:\Users\user\AppData\Roaming\Defender_procesed.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Defender_procesed.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
              C:\Users\user\AppData\Roaming\Defender_procesed.exe74%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              bg.microsoft.map.fastly.net0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalseunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameclient.exe, 00000000.00000002.2046407660.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, client.exe, 00000000.00000002.2046407660.00000000036A6000.00000004.00000800.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Defender_procesed.exe, 00000008.00000002.3260450714.000000000300A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              193.233.74.21
              		unknownRussian Federation
              		202423MGNHOST-ASRUtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1502288
              Start date and time:2024-08-31 23:02:04 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 35s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:13
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:client.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@15/7@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 4
              • Number of non-executed functions: 1
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 199.232.214.172
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              17:03:00API Interceptor2x Sleep call for process: Defender_procesed.exe modified
              23:02:56Task SchedulerRun new task: Defender_procesed path: "C:\Users\user\AppData\Roaming\Defender_procesed.exe"

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              bg.microsoft.map.fastly.netTsLvuUO.dllGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              http://sin1.contabostorage.comGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              BankPaymAdviceVend.Report.docxGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              TradingStationPublisher.msiGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              DFweD7fjxj.exeGet hashmaliciousDCRatBrowse
              • 199.232.210.172
              http://lobster.cloudserver1097.com/3f9vxbkr4q83r4aqGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              https://login.ap-financier.com/TaqWmoGvGet hashmaliciousHTMLPhisherBrowse
              • 199.232.210.172
              http://find-phone.za.com/icloud2022-esp.phpGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              https://sharefile8.pages.dev/b08+zb2ylref0qaxGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              https://seoservicesiox.firebaseapp.com/?err=tdn8ci80q...~311~...1bab28021k78dd4g97a557ek2c2e4Get hashmaliciousHTMLPhisherBrowse
              • 199.232.210.172

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              MGNHOST-ASRUfile.exeGet hashmaliciousRedLineBrowse
              • 193.233.74.8
              server.bin.exeGet hashmaliciousUrsnifBrowse
              • 5.44.43.17
              server.exeGet hashmaliciousUrsnifBrowse
              • 5.44.43.17
              server.exeGet hashmaliciousUrsnifBrowse
              • 5.44.43.17
              server.exeGet hashmaliciousUrsnifBrowse
              • 5.44.43.17
              marzo.txt.urlGet hashmaliciousUrsnifBrowse
              • 5.44.43.17
              login.dllGet hashmaliciousUrsnifBrowse
              • 194.116.163.130
              login.dllGet hashmaliciousUrsnifBrowse
              • 194.116.163.130
              Informazion.exeGet hashmaliciousUrsnif, zgRATBrowse
              • 193.0.178.157
              47gcdr4nlI.exeGet hashmaliciousDanaBotBrowse
              • 185.142.98.118

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Users\user\AppData\Roaming\Defender_procesed.exe
              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
              Category:dropped
              Size (bytes):71954
              Entropy (8bit):7.996617769952133
              Encrypted:true
              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
              Malicious:false
              Reputation:high, very likely benign file
              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Users\user\AppData\Roaming\Defender_procesed.exe
              File Type:data
              Category:dropped
              Size (bytes):328
              Entropy (8bit):3.2478978672539016
              Encrypted:false
              SSDEEP:6:kK/pF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:3psDImsLNkPlE99SNxAhUe/3
              MD5:E59F3438D69C79DA791E070F3B334BDF
              SHA1:21B9561260FFA7C1779E5733F0E9411C5DC19557
              SHA-256:85E8F33AC9D5E43D2A3A012AF5C947117AD51D290039F8F3A2046CBF3A2D7AC6
              SHA-512:5D12F21D951B0C1E406DEF54DC60C6E567C2FB524A4F799B086943CCA7E85EDEBC3565D4233C8D22DA3C48AD9673920D156E9957BFD000DDD6230A830FAB2722
              Malicious:false
              Reputation:low
              Preview:p...... ...........)....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Defender_procesed.exe.log

              Download File
              Process:C:\Users\user\AppData\Roaming\Defender_procesed.exe
              File Type:CSV text
              Category:dropped
              Size (bytes):425
              Entropy (8bit):5.357964438493834
              Encrypted:false
              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
              MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
              SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
              SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
              SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\client.exe.log

              Download File
              Process:C:\Users\user\Desktop\client.exe
              File Type:CSV text
              Category:dropped
              Size (bytes):425
              Entropy (8bit):5.357964438493834
              Encrypted:false
              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
              MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
              SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
              SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
              SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
              Malicious:true
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

              C:\Users\user\AppData\Local\Temp\tmpA640.tmp.bat

              Download File
              Process:C:\Users\user\Desktop\client.exe
              File Type:DOS batch file, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):163
              Entropy (8bit):5.0489293989803405
              Encrypted:false
              SSDEEP:3:mKDDCMNqTtvL5oUkh4EaKC5Eu2nGAh0ZmqRDUkh4E2J5xAInTRIOTRVS7ZPy:hWKqTtT69aZ5EvnXh0Zmq1923fTvC7k
              MD5:81BE8B72128C0F9405CA37B612C0AB54
              SHA1:279CE6F79D0383F0DC15B33CAEAA977AC0BA11EB
              SHA-256:FF094F6EDD771522158D56462BE13B14AB27F6E005B42510015C229867F84901
              SHA-512:2BAB3C373729E136B519AB72830B5EF56F42A3DAAC99F9185DFB32A34132437098060787B8FB68C1A590C2691D252B776E7633A308291AF8BC870B6E46E7C75D
              Malicious:false
              Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Defender_procesed.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpA640.tmp.bat" /f /q..

              C:\Users\user\AppData\Roaming\Defender_procesed.exe

              Download File
              Process:C:\Users\user\Desktop\client.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):64512
              Entropy (8bit):5.820055111530962
              Encrypted:false
              SSDEEP:1536:zJs1Tn8I8Q7vIh5teeiMl8GbbXwRKGdZVclN:zJs1Tn8I8Q7e5QeFmGbbXOzY
              MD5:3FDAF7D43EDCBF138A3F282199A0A576
              SHA1:66F799325FB310BC4E3C810433A53B31256FE6CD
              SHA-256:876D061CBBF6C1A4A8CDCFBDBDF5EF74E25476E5DA77E502EB586EBA8A871AC0
              SHA-512:7986E68D2DD0F827025790602C1B546FF8D441075947867497CF70D3CB05435D2F2BFDE678867E071892CA971BD4CDDD7D2C7BA0F86C50004AAA9CE6C066D5B6
              Malicious:true
              Yara Hits:
              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, Author: ditekSHen
              • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, Author: ditekSHen
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 79%
              • Antivirus: Virustotal, Detection: 74%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^O.a............................n.... ... ....@.. .......................`............@................................. ...K.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................P.......H........e..@............................................................W......H3.......W......3........./.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(C......*2~.....oD...*.s....%r...po....(h...r...p(....o....o....o....( ... ....(....*.s....%r...po....r...po....%r...po.....o....o....( ...*Vs.........si........*.~"...*..."...*F.(+...~!...o....*&...o.

              \Device\Null

              Download File
              Process:C:\Windows\System32\timeout.exe
              File Type:ASCII text, with CRLF line terminators, with overstriking
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.41440934524794
              Encrypted:false
              SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
              MD5:3DD7DD37C304E70A7316FE43B69F421F
              SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
              SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
              SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
              Malicious:false
              Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):5.820055111530962
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:client.exe
              File size:64'512 bytes
              MD5:3fdaf7d43edcbf138a3f282199a0a576
              SHA1:66f799325fb310bc4e3c810433a53b31256fe6cd
              SHA256:876d061cbbf6c1a4a8cdcfbdbdf5ef74e25476e5da77e502eb586eba8a871ac0
              SHA512:7986e68d2dd0f827025790602c1b546ff8d441075947867497cf70d3cb05435d2f2bfde678867e071892ca971bd4cddd7d2c7ba0f86c50004aaa9ce6c066d5b6
              SSDEEP:1536:zJs1Tn8I8Q7vIh5teeiMl8GbbXwRKGdZVclN:zJs1Tn8I8Q7e5QeFmGbbXOzY
              TLSH:94535B002798C965E2AD4AF8ACF2950146B5D5772102DB5E7CC804DBAB9FFC64A133EF
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^O.a............................n.... ... ....@.. .......................`............@................................

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x41096e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x61DE4F5E [Wed Jan 12 03:47:42 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x109200x4b.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000xdf7.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xe9740xea00c8f68f0fc8ed7c176c0f9b5a9112de49False0.49180355235042733data5.853302769232655IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x120000xdf70xe006abcb87f121c4b14112361dcefec0ef9False0.40122767857142855data5.110115746826057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x140000xc0x200b0e0535106ee2612393c6c4ee578322aFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0x120a00x2d4data0.4350828729281768
              RT_MANIFEST0x123740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Suricata IDS Alerts

              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
              2024-08-31T23:03:00.468176+0200TCP2842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1777749704193.233.74.21192.168.2.5
              2024-08-31T23:03:00.468176+0200TCP2034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)1777749704193.233.74.21192.168.2.5
              2024-08-31T23:03:00.468176+0200TCP2848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)1777749704193.233.74.21192.168.2.5

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Aug 31, 2024 23:02:59.778247118 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:02:59.784352064 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:02:59.784420967 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:02:59.803155899 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:02:59.808377028 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:00.454355955 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:00.461930037 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:00.468175888 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:00.670675039 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:00.716878891 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:01.849870920 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:01.854731083 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:01.854799032 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:01.859601974 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:12.593904018 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:12.598767042 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:12.598851919 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:12.783216953 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:12.984242916 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:13.029386997 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:13.149488926 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:13.185339928 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:13.190195084 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:13.190239906 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:13.195044994 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:23.279937029 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:23.286382914 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:23.286458969 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:23.292632103 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:23.652812004 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:23.701322079 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:23.822230101 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:23.823964119 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:23.828763962 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:23.828835011 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:23.833636999 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:31.462178946 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:31.513786077 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:31.620507956 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:31.670075893 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:33.982939959 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:33.990681887 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:33.991278887 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:33.996253014 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:34.374655962 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:34.420181036 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:34.526264906 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:34.528151989 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:34.534363985 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:34.535247087 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:34.540497065 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:44.686211109 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:44.691081047 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:44.691137075 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:44.695884943 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:45.074045897 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:45.123208046 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:45.228512049 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:45.230452061 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:45.235528946 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:45.235596895 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:45.240350008 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:55.389250040 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:55.394309998 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:55.394386053 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:55.399204969 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:55.769220114 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:55.810767889 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:55.932657003 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:55.934432030 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:55.939253092 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:03:55.939316988 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:03:55.946350098 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:01.456001043 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:01.498322010 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:01.619746923 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:01.670078039 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:06.092468023 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:06.097436905 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:06.097506046 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:06.102372885 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:06.472543955 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:06.513818979 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:06.635138035 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:06.637044907 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:06.641864061 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:06.641913891 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:06.646625042 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:16.795512915 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:16.800437927 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:16.800523996 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:16.808314085 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:17.180066109 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:17.232645988 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:17.343544960 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:17.346858978 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:17.351819038 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:17.351881027 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:17.356749058 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:27.498790026 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:27.503760099 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:27.503827095 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:27.508650064 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:27.880882978 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:27.923718929 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:28.043142080 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:28.074548006 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:28.079642057 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:28.079699039 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:28.084615946 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:31.760428905 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:31.761223078 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:31.761346102 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:31.761442900 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:31.761442900 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:38.201910019 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:38.207387924 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:38.207462072 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:38.213263988 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:38.576025963 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:38.623228073 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:38.744688988 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:38.746349096 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:38.751122952 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:38.751187086 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:38.755930901 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:49.000099897 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:49.004975080 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:49.005049944 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:49.009918928 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:49.380290985 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:49.435717106 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:49.544950008 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:49.546761990 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:49.551542044 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:49.551599026 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:49.556499004 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:58.139203072 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:58.144119024 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:58.147433996 CEST497047777192.168.2.5193.233.74.21
              Aug 31, 2024 23:04:58.152266026 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:58.753854036 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:58.753904104 CEST777749704193.233.74.21192.168.2.5
              Aug 31, 2024 23:04:58.753993034 CEST497047777192.168.2.5193.233.74.21

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Aug 31, 2024 23:03:00.870378971 CEST1.1.1.1192.168.2.50xfdedNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Aug 31, 2024 23:03:00.870378971 CEST1.1.1.1192.168.2.50xfdedNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:02:52
              Start date:31/08/2024
              Path:C:\Users\user\Desktop\client.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\client.exe"
              Imagebase:0xe40000
              File size:64'512 bytes
              MD5 hash:3FDAF7D43EDCBF138A3F282199A0A576
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2046407660.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2046407660.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2013553263.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2045845766.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2046407660.0000000003107000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:17:02:55
              Start date:31/08/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"' & exit
              Imagebase:0x7ff6db010000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:17:02:55
              Start date:31/08/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:17:02:55
              Start date:31/08/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA640.tmp.bat""
              Imagebase:0x7ff6db010000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:17:02:55
              Start date:31/08/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:17:02:55
              Start date:31/08/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks /create /f /sc onlogon /rl highest /tn "Defender_procesed" /tr '"C:\Users\user\AppData\Roaming\Defender_procesed.exe"'
              Imagebase:0x7ff700190000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:17:02:55
              Start date:31/08/2024
              Path:C:\Windows\System32\timeout.exe
              Wow64 process (32bit):false
              Commandline:timeout 3
              Imagebase:0x7ff796130000
              File size:32'768 bytes
              MD5 hash:100065E21CFBBDE57CBA2838921F84D6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              General

              Target ID:8
              Start time:17:02:56
              Start date:31/08/2024
              Path:C:\Users\user\AppData\Roaming\Defender_procesed.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Roaming\Defender_procesed.exe
              Imagebase:0x9e0000
              File size:64'512 bytes
              MD5 hash:3FDAF7D43EDCBF138A3F282199A0A576
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.3260450714.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.3259844986.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.3265329144.000000001B6C3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.3260450714.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.3260450714.0000000002CC3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, Author: ditekSHen
              • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\Defender_procesed.exe, Author: ditekSHen
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 79%, ReversingLabs
              • Detection: 74%, Virustotal, Browse
              Reputation:low
              Has exited:false

              General

              Target ID:9
              Start time:17:02:58
              Start date:31/08/2024
              Path:C:\Users\user\AppData\Roaming\Defender_procesed.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Roaming\Defender_procesed.exe"
              Imagebase:0x7c0000
              File size:64'512 bytes
              MD5 hash:3FDAF7D43EDCBF138A3F282199A0A576
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000009.00000002.2093139250.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000009.00000002.2093797285.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              Reputation:low
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:24.7%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:100%
                Total number of Nodes:5
                Total number of Limit Nodes:1
                execution_graph 1763 7ff848d931ee 1764 7ff848d9321c 1763->1764 1765 7ff848d9338b 1764->1765 1766 7ff848d93514 NtProtectVirtualMemory 1764->1766 1767 7ff848d93555 1766->1767

                Executed Functions

                Function 00007FF848D931EE Relevance: 1.9, APIs: 1, Instructions: 446nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2050129463.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848d90000_client.jbxd
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: 3ba481b46499d43ac9cdcccccef3634be35b7cbdc9c5f989933fa82ff793a277
                • Instruction ID: 17a02e2aa3afd4e7bef2c48fe01349c75cdf3603ba03c8b4b54fc664fee057c5
                • Opcode Fuzzy Hash: 3ba481b46499d43ac9cdcccccef3634be35b7cbdc9c5f989933fa82ff793a277
                • Instruction Fuzzy Hash: A1C14731E1DA495FE71DEB6898162FA7BE1EF95360F04417ED08AC3197DE38680A8781
                Function 00007FF848D92A85 Relevance: .9, Instructions: 887COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 280 7ff848d92a85-7ff848d92a8f 281 7ff848d92a91 280->281 282 7ff848d92a96-7ff848d92aa7 280->282 281->282 285 7ff848d92a93 281->285 283 7ff848d92aa9 282->283 284 7ff848d92aae-7ff848d92aba 282->284 283->284 286 7ff848d92aab 283->286 287 7ff848d92b04-7ff848d92b0a 284->287 288 7ff848d92abb-7ff848d92acc 284->288 285->282 286->284 290 7ff848d92b54-7ff848d92b66 287->290 291 7ff848d92b0c-7ff848d92b53 287->291 292 7ff848d92ad3-7ff848d92af8 288->292 293 7ff848d92ace call 7ff848d91b58 288->293 297 7ff848d92b68-7ff848d92b6c 290->297 298 7ff848d92b6e-7ff848d92b6f 290->298 291->290 304 7ff848d92af9 292->304 293->292 300 7ff848d92b72-7ff848d92bd7 297->300 298->300 311 7ff848d92c76-7ff848d92c79 300->311 312 7ff848d92bdd-7ff848d92be4 300->312 304->304 313 7ff848d92c7b-7ff848d92c8e 311->313 314 7ff848d92c8f-7ff848d92cb2 311->314 315 7ff848d92be7-7ff848d92c22 312->315 319 7ff848d92cb4-7ff848d92d03 314->319 320 7ff848d92d06-7ff848d92d37 314->320 327 7ff848d92c24-7ff848d92c33 315->327 328 7ff848d92c37-7ff848d92c73 315->328 319->320 333 7ff848d92d42-7ff848d92d53 320->333 334 7ff848d92d39-7ff848d92d41 320->334 327->315 329 7ff848d92c35 327->329 328->311 329->311 336 7ff848d92d55-7ff848d92d5d 333->336 337 7ff848d92d5e-7ff848d92d6a 333->337 334->333 336->337 339 7ff848d92db4-7ff848d92eaf call 7ff848d91b10 337->339 340 7ff848d92d6c-7ff848d92db3 337->340 358 7ff848d92eb1-7ff848d92ec0 339->358 359 7ff848d92ec3-7ff848d92ec7 339->359 340->339 363 7ff848d92f12-7ff848d92f24 358->363 364 7ff848d92ec2 358->364 361 7ff848d92ed8-7ff848d92ee1 359->361 362 7ff848d92ec9-7ff848d92ed7 359->362 365 7ff848d92ee3-7ff848d92ef9 361->365 366 7ff848d92f25-7ff848d92f4d 361->366 364->359 369 7ff848d92efb-7ff848d92f09 365->369 370 7ff848d92f0d-7ff848d92f11 365->370 371 7ff848d92f4f-7ff848d92f5c call 7ff848d91af8 366->371 369->370 370->363 374 7ff848d92f61-7ff848d92f64 371->374 375 7ff848d92f66-7ff848d92f6a 374->375 376 7ff848d92f89-7ff848d92fdd 374->376 378 7ff848d92f71-7ff848d92f88 375->378 384 7ff848d92fdf-7ff848d92fef call 7ff848d91b00 376->384 386 7ff848d92ff4-7ff848d92ff7 384->386 387 7ff848d92ff9-7ff848d92fff call 7ff848d91b08 386->387 388 7ff848d9300c-7ff848d9302f 386->388 391 7ff848d93004-7ff848d9300b 387->391 393 7ff848d93031-7ff848d93080 388->393 394 7ff848d93083-7ff848d93088 388->394 393->394 396 7ff848d9308f-7ff848d93094 call 7ff848d919e0 394->396 399 7ff848d93099-7ff848d930c1 396->399 405 7ff848d93173-7ff848d9319d call 7ff848d9319e 399->405 406 7ff848d930c7-7ff848d930e6 399->406 409 7ff848d930e8-7ff848d930fd 406->409 410 7ff848d930ff-7ff848d93143 call 7ff848d919f0 406->410 409->410 421 7ff848d93165-7ff848d93192 call 7ff848d91b38 call 7ff848d9319e 410->421 422 7ff848d93145-7ff848d9315d 410->422 422->406 425 7ff848d93163 422->425 425->405
                Memory Dump Source
                • Source File: 00000000.00000002.2050129463.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848d90000_client.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc9955ec42c87a49df61f418466874c85c26d56dbb01c40943a11d24d19e4233
                • Instruction ID: bd4440213b83bd9962232bd2eb4b4637a769996d2e9874c559e85d4e86d2a5b8
                • Opcode Fuzzy Hash: fc9955ec42c87a49df61f418466874c85c26d56dbb01c40943a11d24d19e4233
                • Instruction Fuzzy Hash: D3423731E0EA4A4FE759AB3C98592B57BD1EF99354F0801BED04EC3197DF28A84A8345

                Non-executed Functions

                Function 00007FF848D92AFD Relevance: .2, Instructions: 162COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2050129463.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848d90000_client.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 638c51416cd64f2828e4ac580a457e0840ee1a373dda929cccdc45c7012b068c
                • Instruction ID: 5b9af50334b5164b58d1cde15f8df65859d18aa07a17e01dffa8a879bbe7a351
                • Opcode Fuzzy Hash: 638c51416cd64f2828e4ac580a457e0840ee1a373dda929cccdc45c7012b068c
                • Instruction Fuzzy Hash: 6C41F431D1DA095EE72CFB2598561FA73E1EFA5354F44443ED48BC349AEE38B40A8681

                Execution Graph

                Execution Coverage:17.9%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:5
                Total number of Limit Nodes:1
                execution_graph 5348 7ff848d931ee 5350 7ff848d9321c 5348->5350 5349 7ff848d9338b 5350->5349 5351 7ff848d93514 NtProtectVirtualMemory 5350->5351 5352 7ff848d93555 5351->5352

                Executed Functions

                Function 00007FF848D931EE Relevance: 1.9, APIs: 1, Instructions: 446nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.3266853144.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_8_2_7ff848d90000_Defender_procesed.jbxd
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: 597939f55208d47cec4509fc5517c1d05c10818969585dbdfdc81daec66f987f
                • Instruction ID: 17a02e2aa3afd4e7bef2c48fe01349c75cdf3603ba03c8b4b54fc664fee057c5
                • Opcode Fuzzy Hash: 597939f55208d47cec4509fc5517c1d05c10818969585dbdfdc81daec66f987f
                • Instruction Fuzzy Hash: A1C14731E1DA495FE71DEB6898162FA7BE1EF95360F04417ED08AC3197DE38680A8781

                Execution Graph

                Execution Coverage:32%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:5
                Total number of Limit Nodes:1
                execution_graph 1285 7ff848d631c5 1287 7ff848d631ce 1285->1287 1286 7ff848d6338b 1287->1286 1288 7ff848d63514 NtProtectVirtualMemory 1287->1288 1289 7ff848d63555 1288->1289

                Callgraph

                • Executed
                • Not Executed
                • Opacity -> Relevance
                • Disassembly available
                callgraph 0 Function_00007FF848D626DD 11 Function_00007FF848D627E0 0->11 30 Function_00007FF848D604C0 0->30 34 Function_00007FF848D604C8 0->34 1 Function_00007FF848D600DD 2 Function_00007FF848D61ADD 3 Function_00007FF848D621DD 4 Function_00007FF848D603D8 5 Function_00007FF848D601DB 6 Function_00007FF848D619E5 7 Function_00007FF848D607E5 8 Function_00007FF848D613E5 15 Function_00007FF848D607E8 8->15 9 Function_00007FF848D607E0 9->15 10 Function_00007FF848D604E0 12 Function_00007FF848D625E2 13 Function_00007FF848D629EC 84 Function_00007FF848D61B20 13->84 14 Function_00007FF848D601EC 16 Function_00007FF848D603E8 17 Function_00007FF848D600F4 18 Function_00007FF848D607F0 19 Function_00007FF848D60AF3 20 Function_00007FF848D617F3 21 Function_00007FF848D600BD 22 Function_00007FF848D603BD 23 Function_00007FF848D617BE 24 Function_00007FF848D604B8 25 Function_00007FF848D601BA 26 Function_00007FF848D621BA 27 Function_00007FF848D611C5 46 Function_00007FF848D613A3 27->46 28 Function_00007FF848D631C5 29 Function_00007FF848D600C4 31 Function_00007FF848D609C9 32 Function_00007FF848D614C8 32->18 82 Function_00007FF848D61754 32->82 33 Function_00007FF848D607C8 35 Function_00007FF848D601CB 36 Function_00007FF848D61AD3 37 Function_00007FF848D6219D 38 Function_00007FF848D60D9C 39 Function_00007FF848D6119C 40 Function_00007FF848D6269E 41 Function_00007FF848D60498 42 Function_00007FF848D60398 43 Function_00007FF848D601A4 44 Function_00007FF848D604A0 45 Function_00007FF848D607A0 45->15 47 Function_00007FF848D600AD 48 Function_00007FF848D602A8 49 Function_00007FF848D620B5 50 Function_00007FF848D60BB1 50->10 50->41 50->45 51 Function_00007FF848D606B0 50->51 62 Function_00007FF848D60690 50->62 66 Function_00007FF848D60558 50->66 70 Function_00007FF848D60568 50->70 76 Function_00007FF848D60638 50->76 77 Function_00007FF848D60738 50->77 85 Function_00007FF848D60620 50->85 89 Function_00007FF848D60528 50->89 100 Function_00007FF848D60500 50->100 51->15 52 Function_00007FF848D6017D 53 Function_00007FF848D60E7E 53->9 53->33 53->44 102 Function_00007FF848D60808 53->102 54 Function_00007FF848D62A85 55 Function_00007FF848D61A80 56 Function_00007FF848D61F8D 56->49 57 Function_00007FF848D6028D 58 Function_00007FF848D6218D 59 Function_00007FF848D63589 60 Function_00007FF848D61789 61 Function_00007FF848D62895 61->24 62->15 63 Function_00007FF848D62993 64 Function_00007FF848D6035D 65 Function_00007FF848D6025D 67 Function_00007FF848D61465 68 Function_00007FF848D6166D 68->20 68->23 68->60 69 Function_00007FF848D6216D 71 Function_00007FF848D60468 72 Function_00007FF848D60D77 73 Function_00007FF848D6043D 74 Function_00007FF848D6023F 75 Function_00007FF848D60338 76->15 77->15 78 Function_00007FF848D6024D 79 Function_00007FF848D6014D 80 Function_00007FF848D6044D 81 Function_00007FF848D61F4E 83 Function_00007FF848D60118 84->16 85->15 86 Function_00007FF848D60222 87 Function_00007FF848D6012D 88 Function_00007FF848D6282D 90 Function_00007FF848D60228 91 Function_00007FF848D6182A 92 Function_00007FF848D61930 93 Function_00007FF848D62AFD 96 Function_00007FF848D61AF8 93->96 99 Function_00007FF848D61B00 93->99 103 Function_00007FF848D61B08 93->103 108 Function_00007FF848D61B10 93->108 94 Function_00007FF848D603F8 95 Function_00007FF848D621F8 97 Function_00007FF848D605FA 97->15 98 Function_00007FF848D607FA 101 Function_00007FF848D6020C 104 Function_00007FF848D6000B 105 Function_00007FF848D61A15 106 Function_00007FF848D62116 107 Function_00007FF848D62A16 109 Function_00007FF848D60112 110 Function_00007FF848D62212

                Executed Functions

                Function 00007FF848D631C5 Relevance: 2.0, APIs: 1, Instructions: 464nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000009.00000002.2097797155.00007FF848D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D60000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_7ff848d60000_Defender_procesed.jbxd
                Similarity
                • API ID: MemoryProtectVirtual
                • String ID:
                • API String ID: 2706961497-0
                • Opcode ID: e2e14ce3de106d2f9d30320bc72f250c75a2c459fa5867e423ec91ab75dcf674
                • Instruction ID: bc100ddb621c730c8e63181b1d8920359e99f34354ca937b0a2083339c21234b
                • Opcode Fuzzy Hash: e2e14ce3de106d2f9d30320bc72f250c75a2c459fa5867e423ec91ab75dcf674
                • Instruction Fuzzy Hash: 8AD13831A1DA495FE71DAB6898562FA77E1EF95360F0441BFD08AC3197DE38680B8381