Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe

Overview

General Information

Sample name:1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
Analysis ID:1515271
MD5:3fb871e12cee36470aa80d019aa46c2a
SHA1:3fff365af65a3d3312c222acfe0a4d7447d0e78d
SHA256:2e432426a7a0a10a0068c035368f749c298e1ef1add61e31a8b25da74676fcaa
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dcmxz.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "BMaxyTI6PFcknz46fW6SoamkbMkpDOBY", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "HHE5jOeVJOhAghvpojlJdIrDbFOsUbqwsp+EMG8VXpAUEeevWIZdvf0JXY09IqtRyF0X8OflaZjfz5GSeKAlhnZylZ4ewd/rQNkxEX2jmNQvqQm2VUSZ4DaZ1LNcyuuDLoLokVBSqAQ26qID63vTRTGCG+S4ivbzXv2B1m+Pq9M=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65f7:$a1: havecamera
    • 0x9af0:$a2: timeout 3 > NUL
    • 0x9b10:$a3: START "" "
    • 0x999b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x999b:$s2: L2Mgc2NodGFza3MgL2
    • 0x991a:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9968:$s4: VmlydHVhbFByb3RlY3Q
    1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cd2:$q1: Select * from Win32_CacheMemory
    • 0x9d12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9dae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa14a:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x4b7:$b2: DcRat By qwqdanchun1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63f7:$a1: havecamera
      • 0x98f0:$a2: timeout 3 > NUL
      • 0x9910:$a3: START "" "
      • 0x979b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x9850:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.3363355468.000000001B58B000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0xb4c0:$b2: DcRat By qwqdanchun1
      00000000.00000002.3361400482.0000000000D07000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x5102c:$b2: DcRat By qwqdanchun1
      00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x65f7:$a1: havecamera
          • 0x9af0:$a2: timeout 3 > NUL
          • 0x9b10:$a3: START "" "
          • 0x999b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9a50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
          • 0x9a50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
          • 0x999b:$s2: L2Mgc2NodGFza3MgL2
          • 0x991a:$s3: QW1zaVNjYW5CdWZmZXI
          • 0x9968:$s4: VmlydHVhbFByb3RlY3Q
          0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x9cd2:$q1: Select * from Win32_CacheMemory
          • 0x9d12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x9d60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x9dae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
          • 0xa14a:$s1: DcRatBy

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-22T06:59:12.248571+020020348471Domain Observed Used for C2 Detected45.135.232.3835650192.168.2.549705TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-22T06:59:12.248571+020028424781Malware Command and Control Activity Detected45.135.232.3835650192.168.2.549705TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-22T06:59:12.248571+020028480481Domain Observed Used for C2 Detected45.135.232.3835650192.168.2.549705TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeAvira: detected
          Found malware configuration
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "dcmxz.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "BMaxyTI6PFcknz46fW6SoamkbMkpDOBY", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "HHE5jOeVJOhAghvpojlJdIrDbFOsUbqwsp+EMG8VXpAUEeevWIZdvf0JXY09IqtRyF0X8OflaZjfz5GSeKAlhnZylZ4ewd/rQNkxEX2jmNQvqQm2VUSZ4DaZ1LNcyuuDLoLokVBSqAQ26qID63vTRTGCG+S4ivbzXv2B1m+Pq9M=", "BDOS": "null", "External_config_on_Pastebin": "false"}
          Multi AV Scanner detection for submitted file
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeVirustotal: Detection: 68%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeJoe Sandbox ML: detected
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:35650 -> 192.168.2.5:49705
          Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.5:49705
          Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.5:49705
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: dcmxz.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: dcmxz.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.5:49705 -> 45.135.232.38:35650
          Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: dcmxz.duckdns.org
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3363355468.000000001B58B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361400482.0000000000C9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabz
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361400482.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/end3
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.3363355468.000000001B58B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.3361400482.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeCode function: 0_2_00007FF848E7C56F0_2_00007FF848E7C56F
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeCode function: 0_2_00007FF848E783460_2_00007FF848E78346
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeCode function: 0_2_00007FF848E790F20_2_00007FF848E790F2
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeCode function: 0_2_00007FF848E730E20_2_00007FF848E730E2
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000000.2118470932.000000000078E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361400482.0000000000C9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeBinary or memory string: OriginalFilenameClient.exe" vs 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.3363355468.000000001B58B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.3361400482.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, Settings.csBase64 encoded string: 'rdvg6WR9YpK4ldjpOONzY1prolv9NEkpkwUs2GkgR//0YtYH71rbxnR4PfBGmKhcLHtUrWgSsu+78LWRDCPstL0LWyHbVXPesRyBf8ep2nk=', 'kavigSNbfCs4IxuRCpfhumt7bCDlfiYTnBbT8pebQJaPJb8mlJBl7LhTP3A3D1oAvA9GgjgmY82OkDe1wp1WS9wyXKoH33DKgXCHGkVhdxmVDR5O3ckPdt7AZq6A27WPZ45ZZYqJ0Q/xn4KPodqJiJV3Tjop6IJ2RAcH6E9eLR2IIauR8fzkjhfIpmJxMk+CP8AYqydzOwaR03qYahkZv3rhQlsHUWeqGeYQtjFnvewL7x93qMLeiQt6fahVgVjBmll1DTYlzCGoaCZMRzXSKcKaffC71+RasCUhGK18dCw=', 'jVe/CHyxeji+ISSX691hV54Pga5de6Nfp7sJWmdTAzHCaR7mZl2MO65Hk6KJMauS9Y6jw9wXKcqYOT2qrHh4JQ==', 'vVLVqaAyjFawc15DAD8/cfIQb0Gumvo25eyVv99u7lA+4pgQQfe5He3KVJsqW0aNW9hTCtQIhPaNPwOsYJIAxA=='
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeMutant created: NULL
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeVirustotal: Detection: 68%
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeCode function: 0_2_00007FF848E700BD pushad ; iretd 0_2_00007FF848E700C1

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTR
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeMemory allocated: 1AA90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeWindow / User API: threadDelayed 9611Jump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe TID: 1088Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe TID: 6660Thread sleep time: -10145709240540247s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe TID: 1532Thread sleep count: 9611 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe TID: 1532Thread sleep count: 243 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3363189778.000000001B40A000.00000004.00000020.00020000.00000000.sdmp, 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3363355468.000000001B575000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTR
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361400482.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3363355468.000000001B5BD000.00000004.00000020.00020000.00000000.sdmp, 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3363189778.000000001B422000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
          Source: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe PID: 6624, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		1
          Process Injection          		1
          Disable or Modify Tools          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		31
          Virtualization/Sandbox Evasion          		LSASS Memory121
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)1
          DLL Side-Loading          		1
          Process Injection          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Obfuscated Files or Information          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture21
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe68%VirustotalBrowse
          1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe100%AviraHEUR/AGEN.1307404
          1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          dcmxz.duckdns.org0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dcmxz.duckdns.org
          		45.135.232.38
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            dcmxz.duckdns.orgtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe, 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            45.135.232.38
            		dcmxz.duckdns.orgRussian Federation
            		49392ASBAXETNRUtrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1515271
            Start date and time:2024-09-22 06:58:07 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 12s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:4
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/2@1/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 6
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 93.184.221.240
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            00:59:12API Interceptor2x Sleep call for process: 1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            45.135.232.38decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
              sostener.vbsGet hashmaliciousRemcosBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                ASBAXETNRUSecuriteInfo.com.Linux.Siggen.9999.8861.1379.elfGet hashmaliciousMiraiBrowse
                • 212.196.169.14
                file.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                • 212.192.12.222
                http://104.219.233.181/fwd/P2Q9MjU2Mjc5JmVpPTcyODUyMjcyJmlmPTUxNDQyJm5kcD03OTgzJnNpPTE3JmxpPTIyMzczGet hashmaliciousPhisherBrowse
                • 45.147.195.6
                decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
                • 45.135.232.38
                NwFP.exeGet hashmaliciousSmokeLoaderBrowse
                • 45.142.44.233
                sostener.vbsGet hashmaliciousRemcosBrowse
                • 45.135.232.38
                wAO7F8FbEz.elfGet hashmaliciousUnknownBrowse
                • 212.196.181.198
                http://0la4fyd6lwi0xam.rodconant.com/q3bCCwDV?sub1=tt&keyword=lmai@dllr.state.md.us&sub2=rochapan.com.brGet hashmaliciousUnknownBrowse
                • 46.29.162.82
                hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 45.93.200.174
                hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 45.93.200.174

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):71954
                Entropy (8bit):7.996617769952133
                Encrypted:true
                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                Malicious:false
                Reputation:high, very likely benign file
                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.150184159866505
                Encrypted:false
                SSDEEP:6:kKX99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:MDnLNkPlE99SNxAhUe/3
                MD5:BF43F9B760C15FC357C34C91B9E2B9BD
                SHA1:9C7EE1578BDF55DD1BD4E27FA9A2A24F39332F50
                SHA-256:A2D22849CF7D50DD79A61510DE1057BFBA69617B75BFC1F12AF35BFA62108524
                SHA-512:FB19AA6A8B76BFF35094E76D99E91A3F9433F57B531821856245E4ED8CDD9687B21814D88EFBAF1DD70F7E21867E00BD93D59CF754B04DEFBC5D1F8E85045222
                Malicious:false
                Reputation:low
                Preview:p...... .........xy*....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.617428788763553
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
                File size:48'640 bytes
                MD5:3fb871e12cee36470aa80d019aa46c2a
                SHA1:3fff365af65a3d3312c222acfe0a4d7447d0e78d
                SHA256:2e432426a7a0a10a0068c035368f749c298e1ef1add61e31a8b25da74676fcaa
                SHA512:736208f58515d91cf27ea55c6a76634ec600c2eace2610b5fdac13ec13a37bb20153b2591cf339107d648ab75a9c2320519b2df77c66dd686879accc06f4f985
                SSDEEP:768:gq+s3pUtDILNCCa+DiyiVioP8YbdgemEidkQJ+68vEgK/JHZVc6KN:gq+AGtQO/rzbK7ndkQJd8nkJHZVclN
                TLSH:3D236C003798C536E2FD4BB5ADF3A2418675D2672D03CB596CC825AA2B13FC596036FE
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0x40cbbe
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xcb6c0x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xabc40xac004c9ccb09763d805c53b00c1b7e42f7f7False0.5025890261627907data5.642588220419804IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x100000xc0x20082148d01c3935cf90ef81a3dd1fad607False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0xe0a00x2d4data0.4350828729281768
                RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-09-22T06:59:12.248571+02002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)145.135.232.3835650192.168.2.549705TCP
                2024-09-22T06:59:12.248571+02002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.3835650192.168.2.549705TCP
                2024-09-22T06:59:12.248571+02002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.3835650192.168.2.549705TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 22, 2024 06:59:11.515448093 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:11.520370007 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:11.520462036 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:11.541577101 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:11.546406984 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:12.234983921 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:12.241367102 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:12.248570919 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:12.461658001 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:12.516201019 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:13.676969051 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:13.681929111 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:13.682007074 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:13.686877012 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:24.518363953 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:24.523436069 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:24.523520947 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:24.528328896 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:24.908799887 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:24.953687906 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:25.084223032 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:25.105072021 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:25.109894991 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:25.109956980 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:25.114702940 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:35.361603975 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:35.366694927 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:35.366872072 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:35.371844053 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:35.755686045 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:35.797687054 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:35.928809881 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:35.931471109 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:35.936394930 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:35.936491966 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:35.941457987 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:42.124428034 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:42.172425032 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:42.303666115 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:42.344410896 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:46.204425097 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:46.209372044 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:46.209496021 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:46.214387894 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:46.600730896 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:46.641134977 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:46.772447109 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:46.774801970 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:46.779664993 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:46.779751062 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:46.784519911 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:57.092345953 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:57.097635031 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:57.097932100 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:57.103168011 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:57.485558987 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:57.531872988 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:57.663083076 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:57.703604937 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:57.778363943 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:57.795211077 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 06:59:57.795300007 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 06:59:57.808229923 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:07.945163012 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:07.957982063 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:07.958153963 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:07.966360092 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:08.350858927 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:08.406703949 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:08.524863958 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:08.527280092 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:08.532380104 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:08.532454967 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:08.537512064 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:12.143631935 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:12.188221931 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:12.319482088 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:12.360091925 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:18.782731056 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:18.788146019 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:18.788346052 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:18.793486118 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:19.178674936 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:19.219192982 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:19.351347923 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:19.353650093 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:19.358555079 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:19.358650923 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:19.363547087 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:29.626274109 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:29.631370068 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:29.631455898 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:29.636324883 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:30.705784082 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:30.705852985 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:30.705883980 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:30.705926895 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:30.705970049 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:30.705971003 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:30.705971003 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:30.708093882 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:30.712944031 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:30.713015079 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:30.717791080 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:40.470854044 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:40.475888014 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:40.475989103 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:40.480787992 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:40.858432055 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:40.906935930 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:41.023581028 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:41.025362015 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:41.030251980 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:41.030339956 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:41.035192013 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:42.147532940 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:42.188179970 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:42.320358038 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:42.363955021 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:51.392632961 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:51.397862911 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:51.397948980 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:51.402815104 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:51.780258894 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:51.828619957 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:51.949431896 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:51.952950954 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:51.958298922 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:00:51.958404064 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:00:51.964328051 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:02.157071114 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:02.165152073 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:02.165321112 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:02.174077988 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:02.555749893 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:02.609725952 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:02.711293936 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:02.719039917 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:02.724070072 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:02.724198103 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:02.729090929 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:12.145168066 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:12.188112974 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:12.327846050 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:12.375752926 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:13.250893116 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:13.264053106 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:13.264203072 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:13.272614002 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:13.686317921 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:13.734806061 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:13.841197968 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:13.842295885 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:13.847435951 CEST356504970545.135.232.38192.168.2.5
                Sep 22, 2024 07:01:13.847527981 CEST4970535650192.168.2.545.135.232.38
                Sep 22, 2024 07:01:13.852876902 CEST356504970545.135.232.38192.168.2.5

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 22, 2024 06:59:11.381375074 CEST5088353192.168.2.51.1.1.1
                Sep 22, 2024 06:59:11.499355078 CEST53508831.1.1.1192.168.2.5

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Sep 22, 2024 06:59:11.381375074 CEST192.168.2.51.1.1.10x3bc3Standard query (0)dcmxz.duckdns.orgA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Sep 22, 2024 06:59:11.499355078 CEST1.1.1.1192.168.2.50x3bc3No error (0)dcmxz.duckdns.org45.135.232.38A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:00:59:07
                Start date:22/09/2024
                Path:C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe"
                Imagebase:0x780000
                File size:48'640 bytes
                MD5 hash:3FB871E12CEE36470AA80D019AA46C2A
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.2118439843.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3363355468.000000001B58B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3361400482.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3361804934.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.3361804934.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:22.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:6
                  Total number of Limit Nodes:0
                  execution_graph 4682 7ff848e72d3d 4683 7ff848e72d4b VirtualProtect 4682->4683 4685 7ff848e72e2b 4683->4685 4678 7ff848e729e1 4679 7ff848e729eb LoadLibraryA 4678->4679 4681 7ff848e72ad2 4679->4681

                  Executed Functions

                  Function 00007FF848E7C56F Relevance: 3.0, Strings: 1, Instructions: 1722COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 30 7ff848e7c56f-7ff848e7c588 32 7ff848e7c58a-7ff848e7c5b2 30->32 33 7ff848e7c5b7-7ff848e7c5bd 30->33 45 7ff848e7d4b2-7ff848e7d4be 32->45 34 7ff848e7c6b4-7ff848e7c6ba 33->34 35 7ff848e7c5c3-7ff848e7c5c9 33->35 37 7ff848e7c75f-7ff848e7c765 34->37 38 7ff848e7c6c0-7ff848e7c6c6 34->38 35->34 39 7ff848e7c5cf-7ff848e7c5e6 call 7ff848e74a50 35->39 43 7ff848e7c7cc-7ff848e7c7d2 37->43 44 7ff848e7c767-7ff848e7c76d 37->44 38->37 41 7ff848e7c6cc-7ff848e7c6e6 call 7ff848e74a50 38->41 39->45 53 7ff848e7c5ec-7ff848e7c65a call 7ff848e7abf8 39->53 41->45 58 7ff848e7c6ec-7ff848e7c758 call 7ff848e70ac8 41->58 46 7ff848e7c80e-7ff848e7c814 43->46 47 7ff848e7c7d4-7ff848e7c7da 43->47 44->43 50 7ff848e7c76f-7ff848e7c7c7 44->50 54 7ff848e7c816-7ff848e7c82b call 7ff848e74a50 46->54 55 7ff848e7c830-7ff848e7c836 46->55 47->46 51 7ff848e7c7dc-7ff848e7c809 47->51 50->45 51->45 139 7ff848e7c65f-7ff848e7c6a9 call 7ff848e70ac8 53->139 54->45 61 7ff848e7d4bf-7ff848e7d4fa 55->61 62 7ff848e7c83c-7ff848e7c842 55->62 138 7ff848e7c75a 58->138 94 7ff848e7d501-7ff848e7d586 61->94 68 7ff848e7c86f-7ff848e7c875 62->68 69 7ff848e7c844-7ff848e7c86a 62->69 70 7ff848e7c877-7ff848e7c89d 68->70 71 7ff848e7c8a2-7ff848e7c8a8 68->71 69->45 70->45 76 7ff848e7c8fb-7ff848e7c901 71->76 77 7ff848e7c8aa-7ff848e7c8f6 71->77 81 7ff848e7c907-7ff848e7c98c call 7ff848e7a9e8 76->81 82 7ff848e7c991-7ff848e7c997 76->82 77->45 81->45 86 7ff848e7c99d-7ff848e7ca21 call 7ff848e7a9e8 82->86 87 7ff848e7ca26-7ff848e7ca2c 82->87 86->45 93 7ff848e7ca32-7ff848e7ca38 87->93 87->94 93->94 100 7ff848e7ca3e-7ff848e7ca44 93->100 163 7ff848e7d59b-7ff848e7d5a1 94->163 164 7ff848e7d588-7ff848e7d58e 94->164 100->94 104 7ff848e7ca4a-7ff848e7ca50 100->104 110 7ff848e7cad6-7ff848e7cadc 104->110 111 7ff848e7ca56-7ff848e7ca9d call 7ff848e7a9e8 104->111 118 7ff848e7cb62-7ff848e7cb68 110->118 119 7ff848e7cae2-7ff848e7cb0c 110->119 206 7ff848e7ca9f-7ff848e7caaf 111->206 207 7ff848e7cab0-7ff848e7cab4 111->207 126 7ff848e7cb6a-7ff848e7cba2 118->126 127 7ff848e7cba7-7ff848e7cbad 118->127 157 7ff848e7cb10-7ff848e7cb1b call 7ff848e7a9e8 119->157 126->45 131 7ff848e7cbaf-7ff848e7cc1f call 7ff848e7a9e8 127->131 132 7ff848e7cc24-7ff848e7cc2a 127->132 131->45 136 7ff848e7cc9e-7ff848e7cca4 132->136 137 7ff848e7cc2c-7ff848e7cc99 call 7ff848e7a9e8 132->137 144 7ff848e7cd19-7ff848e7cd1f 136->144 145 7ff848e7cca6-7ff848e7cd14 call 7ff848e7a9e8 136->145 137->45 138->45 139->53 295 7ff848e7c6af 139->295 158 7ff848e7cdfb-7ff848e7ce01 144->158 159 7ff848e7cd25-7ff848e7cd82 call 7ff848e7a9e8 call 7ff848e74a50 144->159 145->45 185 7ff848e7cb1d-7ff848e7cb29 157->185 166 7ff848e7cedd-7ff848e7cee3 158->166 167 7ff848e7ce07-7ff848e7ce64 call 7ff848e7a9e8 call 7ff848e74a50 158->167 159->45 307 7ff848e7cd88-7ff848e7cdf4 call 7ff848e70ac8 159->307 179 7ff848e7d5b7-7ff848e7d5bd 163->179 180 7ff848e7d5a3-7ff848e7d5b2 163->180 164->163 178 7ff848e7d590-7ff848e7d596 164->178 171 7ff848e7cf07-7ff848e7cf0d 166->171 172 7ff848e7cee5-7ff848e7cf02 call 7ff848e7abf8 166->172 167->45 312 7ff848e7ce6a-7ff848e7ced6 call 7ff848e70ac8 167->312 182 7ff848e7d03e-7ff848e7d044 171->182 183 7ff848e7cf13-7ff848e7cf70 call 7ff848e7a9e8 call 7ff848e74a50 171->183 172->45 188 7ff848e7d658-7ff848e7d6a0 178->188 190 7ff848e7d5bf-7ff848e7d607 call 7ff848e7a9e8 179->190 191 7ff848e7d609-7ff848e7d60f 179->191 180->188 201 7ff848e7d04a-7ff848e7d0a7 call 7ff848e7a9e8 call 7ff848e74a50 182->201 202 7ff848e7d175-7ff848e7d17b 182->202 183->45 326 7ff848e7cf76-7ff848e7d033 call 7ff848e7abf8 call 7ff848e70ac8 183->326 229 7ff848e7cb3c-7ff848e7cb46 185->229 230 7ff848e7cb2b-7ff848e7cb3b 185->230 190->188 191->188 195 7ff848e7d611-7ff848e7d656 call 7ff848e7a9e8 191->195 195->188 201->45 329 7ff848e7d0ad-7ff848e7d0b8 201->329 215 7ff848e7d2aa-7ff848e7d2b0 202->215 216 7ff848e7d181-7ff848e7d1dc call 7ff848e7a9e8 call 7ff848e74a50 202->216 206->207 207->157 219 7ff848e7cab6-7ff848e7caba 207->219 222 7ff848e7d2d4-7ff848e7d2da 215->222 223 7ff848e7d2b2-7ff848e7d2cf call 7ff848e7abf8 215->223 216->45 337 7ff848e7d1e2-7ff848e7d29f call 7ff848e7abf8 call 7ff848e70ac8 216->337 233 7ff848e7cacc-7ff848e7cace 219->233 234 7ff848e7cabc-7ff848e7cac1 219->234 237 7ff848e7d2fe-7ff848e7d304 222->237 238 7ff848e7d2dc-7ff848e7d2f9 call 7ff848e7abf8 222->238 223->45 257 7ff848e7cb58-7ff848e7cb5d 229->257 258 7ff848e7cb48-7ff848e7cb4d 229->258 230->229 233->185 277 7ff848e7cad0-7ff848e7cad1 233->277 246 7ff848e7cad4 234->246 247 7ff848e7cac3-7ff848e7cacb 234->247 255 7ff848e7d306-7ff848e7d340 237->255 256 7ff848e7d345-7ff848e7d34b 237->256 238->45 246->110 247->233 255->45 273 7ff848e7d34d-7ff848e7d3bf call 7ff848e7a9e8 256->273 274 7ff848e7d3c4-7ff848e7d3ca 256->274 257->45 269 7ff848e7cb4f-7ff848e7cb57 258->269 270 7ff848e7cb60 258->270 269->257 270->118 273->45 278 7ff848e7d43c-7ff848e7d442 274->278 279 7ff848e7d3cc-7ff848e7d43a call 7ff848e7a9e8 274->279 277->45 278->45 298 7ff848e7d444-7ff848e7d4ab call 7ff848e7a9e8 278->298 279->45 295->45 298->45 379 7ff848e7cdf6 307->379 382 7ff848e7ced8 312->382 411 7ff848e7d039 326->411 343 7ff848e7d10e-7ff848e7d16a call 7ff848e7abf8 call 7ff848e70ac8 329->343 344 7ff848e7d0ba-7ff848e7d10c 329->344 413 7ff848e7d2a5 337->413 343->329 401 7ff848e7d170 343->401 344->343 379->45 382->45 401->45 411->45 413->45
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3364488092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e70000_1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d.jbxd
                  Similarity
                  • API ID:
                  • String ID: L
                  • API String ID: 0-2909332022
                  • Opcode ID: 73ed810c88c1781e42540d346cf9cdee0f5289d06b4f0b81b40808c1c38ad623
                  • Instruction ID: 559388f6159c94cd3ae8a2ee2af181275e4eb2ffde88d1d23135d07f76b9de5e
                  • Opcode Fuzzy Hash: 73ed810c88c1781e42540d346cf9cdee0f5289d06b4f0b81b40808c1c38ad623
                  • Instruction Fuzzy Hash: D4B2A121B1DD4A4FEB98FA28949567973D2FF98351F1841BAD00EC329BDF38E8428745
                  Function 00007FF848E730E2 Relevance: 2.0, Strings: 1, Instructions: 760COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 414 7ff848e730e2-7ff848e73142 421 7ff848e73148-7ff848e731ed 414->421 422 7ff848e73381-7ff848e733c2 call 7ff848e71998 414->422 450 7ff848e732b3 421->450 451 7ff848e731f3-7ff848e732a0 421->451 430 7ff848e733d7-7ff848e733e0 422->430 431 7ff848e733c4-7ff848e733d5 422->431 434 7ff848e733e8-7ff848e73404 430->434 431->434 440 7ff848e73419-7ff848e7341e 434->440 441 7ff848e73406-7ff848e73417 434->441 444 7ff848e73425-7ff848e7348b call 7ff848e719a8 call 7ff848e719b8 440->444 441->444 464 7ff848e73512 444->464 465 7ff848e73491-7ff848e734dd 444->465 455 7ff848e732b8-7ff848e732df 450->455 451->450 491 7ff848e732a2-7ff848e732ad 451->491 472 7ff848e732e1-7ff848e732ef 455->472 469 7ff848e73517-7ff848e7353f 464->469 465->464 493 7ff848e734df-7ff848e7350b 465->493 497 7ff848e73541-7ff848e73558 call 7ff848e738d5 469->497 479 7ff848e73365-7ff848e7337c 472->479 480 7ff848e732f1-7ff848e7330b 472->480 487 7ff848e73559-7ff848e7356a 479->487 480->487 489 7ff848e73311-7ff848e7332c 480->489 498 7ff848e73570-7ff848e7365e call 7ff848e719c8 call 7ff848e719d8 487->498 499 7ff848e73891 487->499 496 7ff848e73334-7ff848e73345 489->496 491->455 495 7ff848e732af-7ff848e732b1 491->495 493->469 501 7ff848e7350d-7ff848e73510 493->501 495->472 506 7ff848e7334c-7ff848e7335e 496->506 507 7ff848e73347 496->507 497->487 498->450 526 7ff848e73664-7ff848e73690 498->526 503 7ff848e73898-7ff848e738a4 499->503 501->497 506->489 511 7ff848e73360 506->511 507->487 511->487 528 7ff848e73692-7ff848e73698 526->528 529 7ff848e7369a-7ff848e736a1 528->529 530 7ff848e736d0-7ff848e737a6 call 7ff848e72418 528->530 529->528 536 7ff848e736a3-7ff848e736c5 call 7ff848e71988 call 7ff848e70628 529->536 553 7ff848e737a7-7ff848e737b8 530->553 545 7ff848e736ca 536->545 545->530 556 7ff848e737ba-7ff848e73889 call 7ff848e72418 553->556 566 7ff848e7388f 556->566 566->503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.3364488092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e70000_1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d.jbxd
                  Similarity
                  • API ID:
                  • String ID: ,
                  • API String ID: 0-3772416878
                  • Opcode ID: 3354accf4ed0d3bf517a00aaaf7ec1b576bc141a8207ac54ba1802a76944eb92
                  • Instruction ID: 47050c1a6b8aa366dfc4b8e32b80d2e7fd4d9e2bd4d1c565934986958347a37c
                  • Opcode Fuzzy Hash: 3354accf4ed0d3bf517a00aaaf7ec1b576bc141a8207ac54ba1802a76944eb92
                  • Instruction Fuzzy Hash: CA32C031B1C94A9FEB98EB2C90556B9B3E2FF98790F540579D04EC32C6DF38A8428745
                  Function 00007FF848E78346 Relevance: .5, Instructions: 468COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 863 7ff848e78346-7ff848e78353 864 7ff848e7835e-7ff848e78427 863->864 865 7ff848e78355-7ff848e7835d 863->865 869 7ff848e78429-7ff848e78432 864->869 870 7ff848e78493 864->870 865->864 869->870 872 7ff848e78434-7ff848e78440 869->872 871 7ff848e78495-7ff848e784ba 870->871 879 7ff848e784bc-7ff848e784c5 871->879 880 7ff848e78526 871->880 873 7ff848e78479-7ff848e78491 872->873 874 7ff848e78442-7ff848e78454 872->874 873->871 876 7ff848e78458-7ff848e7846b 874->876 877 7ff848e78456 874->877 876->876 878 7ff848e7846d-7ff848e78475 876->878 877->876 878->873 879->880 881 7ff848e784c7-7ff848e784d3 879->881 882 7ff848e78528-7ff848e785d0 880->882 883 7ff848e7850c-7ff848e78524 881->883 884 7ff848e784d5-7ff848e784e7 881->884 893 7ff848e7863e 882->893 894 7ff848e785d2-7ff848e785dc 882->894 883->882 886 7ff848e784eb-7ff848e784fe 884->886 887 7ff848e784e9 884->887 886->886 889 7ff848e78500-7ff848e78508 886->889 887->886 889->883 895 7ff848e78640-7ff848e78669 893->895 894->893 896 7ff848e785de-7ff848e785eb 894->896 902 7ff848e7866b-7ff848e78676 895->902 903 7ff848e786d3 895->903 897 7ff848e785ed-7ff848e785ff 896->897 898 7ff848e78624-7ff848e7863c 896->898 900 7ff848e78603-7ff848e78616 897->900 901 7ff848e78601 897->901 898->895 900->900 904 7ff848e78618-7ff848e78620 900->904 901->900 902->903 905 7ff848e78678-7ff848e78686 902->905 906 7ff848e786d5-7ff848e78766 903->906 904->898 907 7ff848e786bf-7ff848e786d1 905->907 908 7ff848e78688-7ff848e7869a 905->908 914 7ff848e7876c-7ff848e7877b 906->914 907->906 909 7ff848e7869e-7ff848e786b1 908->909 910 7ff848e7869c 908->910 909->909 912 7ff848e786b3-7ff848e786bb 909->912 910->909 912->907 915 7ff848e7877d 914->915 916 7ff848e78783-7ff848e787e8 call 7ff848e78804 914->916 915->916 923 7ff848e787ef-7ff848e78803 916->923 924 7ff848e787ea 916->924 924->923
                  Memory Dump Source
                  • Source File: 00000000.00000002.3364488092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e70000_1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 920b644fea4d3cfbbc5a014c9581b87d80028a10e9cf07bd6d68c89b86400402
                  • Instruction ID: f02bc46f632fb98c404e9bb9ff86e14f92c4fb101847465b0e1767be9ffcff91
                  • Opcode Fuzzy Hash: 920b644fea4d3cfbbc5a014c9581b87d80028a10e9cf07bd6d68c89b86400402
                  • Instruction Fuzzy Hash: DAF1A43090CA8D8FEBA8EF28D8557E937D1FF64350F04426EE85DC7291DB7498458B86
                  Function 00007FF848E790F2 Relevance: .5, Instructions: 454COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 925 7ff848e790f2-7ff848e790ff 926 7ff848e7910a-7ff848e791d7 925->926 927 7ff848e79101-7ff848e79109 925->927 931 7ff848e791d9-7ff848e791e2 926->931 932 7ff848e79243 926->932 927->926 931->932 933 7ff848e791e4-7ff848e791f0 931->933 934 7ff848e79245-7ff848e7926a 932->934 935 7ff848e79229-7ff848e79241 933->935 936 7ff848e791f2-7ff848e79204 933->936 941 7ff848e7926c-7ff848e79275 934->941 942 7ff848e792d6 934->942 935->934 937 7ff848e79208-7ff848e7921b 936->937 938 7ff848e79206 936->938 937->937 940 7ff848e7921d-7ff848e79225 937->940 938->937 940->935 941->942 944 7ff848e79277-7ff848e79283 941->944 943 7ff848e792d8-7ff848e792fd 942->943 950 7ff848e792ff-7ff848e79309 943->950 951 7ff848e7936b 943->951 945 7ff848e792bc-7ff848e792d4 944->945 946 7ff848e79285-7ff848e79297 944->946 945->943 948 7ff848e7929b-7ff848e792ae 946->948 949 7ff848e79299 946->949 948->948 952 7ff848e792b0-7ff848e792b8 948->952 949->948 950->951 953 7ff848e7930b-7ff848e79318 950->953 954 7ff848e7936d-7ff848e7939b 951->954 952->945 955 7ff848e7931a-7ff848e7932c 953->955 956 7ff848e79351-7ff848e79369 953->956 960 7ff848e7939d-7ff848e793a8 954->960 961 7ff848e7940b 954->961 957 7ff848e7932e 955->957 958 7ff848e79330-7ff848e79343 955->958 956->954 957->958 958->958 962 7ff848e79345-7ff848e7934d 958->962 960->961 963 7ff848e793aa-7ff848e793b8 960->963 964 7ff848e7940d-7ff848e794e5 961->964 962->956 965 7ff848e793ba-7ff848e793cc 963->965 966 7ff848e793f1-7ff848e79409 963->966 974 7ff848e794eb-7ff848e794fa 964->974 967 7ff848e793ce 965->967 968 7ff848e793d0-7ff848e793e3 965->968 966->964 967->968 968->968 970 7ff848e793e5-7ff848e793ed 968->970 970->966 975 7ff848e794fc 974->975 976 7ff848e79502-7ff848e79564 call 7ff848e79580 974->976 975->976 983 7ff848e7956b-7ff848e7957f 976->983 984 7ff848e79566 976->984 984->983
                  Memory Dump Source
                  • Source File: 00000000.00000002.3364488092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e70000_1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0af94d668f65368d8912e8bd73b206bf3bc3c4d43a00c5fa0349b7197ecd900a
                  • Instruction ID: a60e557ce569b406c0ee4889c71c1f31a75ff4bc702543b71143fb9eafea92e3
                  • Opcode Fuzzy Hash: 0af94d668f65368d8912e8bd73b206bf3bc3c4d43a00c5fa0349b7197ecd900a
                  • Instruction Fuzzy Hash: E8E1C23090CA8E8FEBA9EF28D8557E977E1FF54350F04426EE84DC7295DB7898418B81
                  Function 00007FF848E729E1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 639 7ff848e729e1-7ff848e72ad0 LoadLibraryA 645 7ff848e72ad8-7ff848e72b31 call 7ff848e72b32 639->645 646 7ff848e72ad2 639->646 646->645
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.3364488092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e70000_1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 50afe0f81dcd26447132740f3b4a39931154eac3551ce07d841bd058c538d8a6
                  • Instruction ID: 80bb06370499c35c02b7de7d2fc2ff24a3681dc9a6f897c060c48f1a8e362e0f
                  • Opcode Fuzzy Hash: 50afe0f81dcd26447132740f3b4a39931154eac3551ce07d841bd058c538d8a6
                  • Instruction Fuzzy Hash: AB416A70908A4C8FDB98EF58D845BEDBBF1FB99310F04426AD00ED7292DB75A845CB81
                  Function 00007FF848E72D3D Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 652 7ff848e72d3d-7ff848e72d49 653 7ff848e72d4b-7ff848e72d53 652->653 654 7ff848e72d54-7ff848e72d63 652->654 653->654 655 7ff848e72d6e-7ff848e72e29 VirtualProtect 654->655 656 7ff848e72d65-7ff848e72d6d 654->656 661 7ff848e72e2b 655->661 662 7ff848e72e31-7ff848e72e59 655->662 656->655 661->662
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.3364488092.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff848e70000_1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d.jbxd
                  Similarity
                  • API ID: ProtectVirtual
                  • String ID:
                  • API String ID: 544645111-0
                  • Opcode ID: b4ec7af0f2ed740bc98e7d227df1c92b7ed888fa15938ae0d153165ed536736b
                  • Instruction ID: fee99acce37759d8634cecdbf76265667e2f1a0985864ac0e17884406952c58e
                  • Opcode Fuzzy Hash: b4ec7af0f2ed740bc98e7d227df1c92b7ed888fa15938ae0d153165ed536736b
                  • Instruction Fuzzy Hash: EE41E63190DB885FDB1A9B689C466ED7FE0EF96321F0442AFD089C3193DB746406C796