Edit tour

Windows Analysis Report
adjthjawdth.exe

Overview

General Information

Sample name:	adjthjawdth.exe
Analysis ID:	1565832
MD5:	28aaa8f0b29a96138fd597975a16c5d4
SHA1:	b0ea5394610d089ab5248631a4c0f6666f79ffcd
SHA256:	2516d63aa8aef58d6f0a4e330bd87209872b0ff21a17cff5201a2d4783c5bfab
Tags:	exeuser-aachum
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

adjthjawdth.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\adjthjawdth.exe" MD5: 28AAA8F0B29A96138FD597975A16C5D4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://5.252.155.17/3/Proton9Packet/CpuBase5/testBetterlongpollwindows/downloadsGamebetter/Dle/2jsvoiddb/Videodb/wordpresstemp/4Asyncrequest/poll1/httppacketbigloadSqluniversal"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
adjthjawdth.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2006586336.0000000000292000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: adjthjawdth.exe PID: 5820	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.adjthjawdth.exe.290000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: adjthjawdth.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\dKSKtFsn.log	Avira: detection malicious, Label: TR/AD.BitpyRansom.lcksd
Source: C:\Users\user\Desktop\IqtvERdd.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\EACFwUdk.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb

Found malware configuration

Source: adjthjawdth.exe

Malware Configuration Extractor: DCRat {"C2 url": "http://5.252.155.17/3/Proton9Packet/CpuBase5/testBetterlongpollwindows/downloadsGamebetter/Dle/2jsvoiddb/Videodb/wordpresstemp/4Asyncrequest/poll1/httppacketbigloadSqluniversal"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\EACFwUdk.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\IqtvERdd.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\cFHjtWCn.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\dKSKtFsn.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\oywAdRnV.log	ReversingLabs: Detection: 29%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\mnazdyIV.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\oywAdRnV.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\IqtvERdd.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: adjthjawdth.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: adjthjawdth.exe	String decryptor: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"a16c206c-6675-4a07-b8b3-f396ed5c6bae":{"_0":"RU;BY;KZ;UA;AM;AZ;KG;MD;TJ;UZ;TM","_1":"Allow"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive","_1":""},"20c484a2-7b5b-481d-bf01-55d423c9c2fd":{"_0":""}}
Source: adjthjawdth.exe	String decryptor: ["wdGIkuZia4YBwTlw2L0twuQ9TN9MNCrBgxuubX56BKoTKHSdTGvUuM7CMGyXvNUYNWe9j0UeQ4rmF6zM5g2GRXRTzshUihLxzQGxmS3cvQD0eV6PRlcPVOH0FLJ0TA6s","2bf94237ebff06b94f9063ab35428ef71d548cd35c74e903d7b57c39b44850b8","0","","","5","2","WyIzIiwie1NZU1RFTURSSVZFfS9Vc2Vycy97VVNFUk5BTUV9L0FwcERhdGEvTG9jYWwvc3RhdGljZmlsZS5leGUiLCI1Il0=","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
Source: adjthjawdth.exe	String decryptor: [["http://5.252.155.17/3/Proton9Packet/CpuBase5/testBetterlongpollwindows/downloadsGamebetter/Dle/2jsvoiddb/Videodb/wordpresstemp/4Asyncrequest/poll1/","httppacketbigloadSqluniversal"]]

Source: adjthjawdth.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: adjthjawdth.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\adjthjawdth.exe

Code function: 4x nop then jmp 00007FF848E5DFC6h

0_2_00007FF848E5DDAD

System Summary

.NET source code contains very large strings

Source: adjthjawdth.exe, s67.cs

Long String: Length: 205744

Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF848E63415	0_2_00007FF848E63415
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF848E51EC3	0_2_00007FF848E51EC3
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF8490311FA	0_2_00007FF8490311FA
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF849030AD3	0_2_00007FF849030AD3
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF849030D0D	0_2_00007FF849030D0D
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF8490324F8	0_2_00007FF8490324F8
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF849030888	0_2_00007FF849030888
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF849030EFA	0_2_00007FF849030EFA
Source: C:\Users\user\Desktop\adjthjawdth.exe	Code function: 0_2_00007FF849030AFB	0_2_00007FF849030AFB

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\EACFwUdk.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: IqtvERdd.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: EACFwUdk.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: oywAdRnV.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mnazdyIV.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dKSKtFsn.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: cFHjtWCn.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: adjthjawdth.exe, 00000000.00000000.2006586336.0000000000292000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs adjthjawdth.exe
Source: adjthjawdth.exe, 00000000.00000002.2022911155.000000001AF82000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs adjthjawdth.exe
Source: adjthjawdth.exe, 00000000.00000002.2019732055.00000000026A8000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenamehC5ZBAGhgeGr91UA4g4aLnitDd8fsaPt4 vs adjthjawdth.exe
Source: adjthjawdth.exe, 00000000.00000002.2019831317.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs adjthjawdth.exe
Source: adjthjawdth.exe, 00000000.00000002.2019831317.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs adjthjawdth.exe
Source: adjthjawdth.exe, 00000000.00000002.2019831317.0000000002A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs adjthjawdth.exe
Source: adjthjawdth.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs adjthjawdth.exe

Source: adjthjawdth.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: adjthjawdth.exe, E32.cs	Cryptographic APIs: 'TransformBlock'
Source: adjthjawdth.exe, E32.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: adjthjawdth.exe, E32.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: IqtvERdd.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: EACFwUdk.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vWuPNbNC.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: oywAdRnV.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: mnazdyIV.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dKSKtFsn.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: cFHjtWCn.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: adjthjawdth.exe, s67.cs	Base64 encoded string: 'H4sIAAAAAAAEAAEpBNb7CFZFVE0jJFZZT0xNRrXk4eepsePi7KS+s+60o+6kpvS+rKTy9fv6oq///vr5gpvZgfuVhJ2K/djeyY+Cje+AkImW293V0dHc2dnS2d6loK2mrKmjoaaipa+uqKiooLa5vbrvm7KsuJe6r7aCsYWLgIKIh4eMh5mGiISBiYeVkpaSmJiTkp2YkJWVkJaSOkxnd2VIZ3RjVWRibmNrZXR3eH55fmZ0dnVqfn52cnJOSk1GS0xOSE5MSRF4X0FBfFhcWGhbUFlSUVdQVFVTVCIrKSglJygjKyckJCssKSA3Mzw2MTZsBTc3MzUAMzU1DQ4NCwgCCQwLCgUPBQ4EBRYUEBUbGBoVFBMdHRQWRC3v7+vt2Ovg7+rm4uLh7Ovj8v764/739Pv8+vT8//P/787FzcfO1ZzlwcfLxc/I7cfR2Nzv2tfQ2dnc1tbT0NvWramus6mirKmiprqjpL2lpL+9uKO174a/ubeutLGBsLGQiZKPlIKJhoOBgoGPhYWEmJyblJOUnZ6Sl5GTmpOaxVROTFRhZ1ppbm9kaWlhaGt/dHt8fHB4fHJweHVxfHp1SURKSUxETEUScEVZQ0RyQVFaXVpVXFRZXUlZXlheTlMpKy8qJSgoJiEuKC48IC0tagg9ITs8Cjk5Pzg4PjcuPRAHAwcIDgsPBQoGAwcICwAUHBMeFxMaFEI0Gw8UKh8T7OT23+rt6OHp5+Hl4+7o6v/38Pfw8vX+8vf38/L78PTEz8PCwJ/lyMHHyMrfyPLB2dze3N3T3dDS2N3c1NPQ3KqqqqSjoa6mpKSppaqmoqTqhaC2rrqkh5WFtLKwur2xiISOk4eNiISNjIObhZ2HhZGdmJiWmZSUl5uWwbu8i4toXWxsYWlsY2RtemVhaWxseH58enF5f3N/dnh/eHt4eUxAThlhanV7RkpATkBLXkNAXVdRUF9cUlZVVktWXlxTLSspJScjICktcwAqNDUCJjI0ICctCTg7PzQqOCw6Mi8OBgYMBQkEAA0GBg8JDAQJEx0cGxUTF00rGBweLBwSI+7g6uzo9eDj4ejm4evn6Of//Pv7///0+v/z8//w/vrxz5vn28vB09SKhYj0no+UjfHd3pPhxtPFy5uWmeOOnIXilbC2oee76+qo+/2v//75s/zk5ePg++O56e32vuW87M2H0drSgILSi9+IionP1JTSrsLRztekosO7o8C3p8WqQTpDTj9EXDxDTjFGSDZaRStESChAWDQ7OkYrOSY/X3NMTlUBWQkEQU4bHR5IFRoCAQJUChkBAVUAFANfWQsTXnMlJCYlJ3UiKXgvaXY2bBBgc2hxBywlIz00ej8uNCg6Qk1APFVHXEVKFEZJXl0NW0hFE0FZQhRCGlROQ00ZUx3msbOusbDis7q66bLvv+jrsqvpscultK26u+fmA+Ub0SkEAAA=', 'H4sIAAAAAAAEADSbx3KDyhKG3+VuWZDTUoicM4izIuecefqDT9V1VbsseZgZMd1//59k//PP/0RslT7//zIumkHL1M5UhNSePZHldkmVtZwh/6oUNd8yRms+zun8opaD7hguo1U+Jb3/RDfkVFduj+Upsr/fU7ns4rQedGL51ygkVr5O8Tt9zSH6PL+CRH2NNJ4ZDytyN0lwL8iBBsyN9rMwQpaZ2MkZnZABvYGx7hVsDouqRJR0pGoQg/3iQIvPMfuXgS1ejmnmYspmhMkPcjvGYAcZiKa5j4iPvCG2iWhxaPaZhhwDiltgcjf45pp9Z4AQTpIwA9p6YZRYGvJjwAficGzLt3RNea7DRa6mCT2E3h+LrHQ92b7ENrTl/HlKqioaSKLXITlnUs3rSaVn8OFPkFWvefGWRRgUb5xACgSygjyPh7aOYx21jZo379MsoDXaCVCp4EKP4MiHGvepwgyufoVpAs0PKFwUwZEtGxGXTkn1ty9nnqFPNH0LAouRkRDIfFDPa1NBrNAMY7lVTtpXY9BzDlwqMmKKJ/NEx3481/epe7sL/usBASyunQhificCYwH2fqd//cKcP8FMEAc/zyvdbMEgfNMCKkT4BxNaY/5yiY7BPDdtV37AaCfwprvpo+gHXk33fTjycEcBfBVFVXNBqigsmERpGGdpwQ/HAgWdw7cLsjsWlV+e5w5iVLw8SvZ510CKu7MNtNgD48moLM1H4Ln3Ai5oCgGJZ0CJcwvhL7AMfkg/J4QR5IbfCIWB7wFtW0oFBb3gM/keTCjgQAaCSoHgzr4LCY9jk3IAEIUr2TgApLqY2/Mxlp3I881IEws/DBM1UxzMPJqD5IMk+t1BoP4h15LL8kMYCKwOD7EoGA5es7VgOzPGwEKnD/MhR4ClRLLZkV/RlDFAU6SmoThVCCbKGkhooDtwlGESHg4RbWsG0NNDUZE5JDFIWX0RxuO47vNzNCOSDldGETRGD7wLQssFvTeEdHCFSTxi1+pUjFQMTKlqecaED1UXnHo4A41dzOBJOwRSrBpdULPtmRIUKswInfe4wZE2RdAieb7e8TWIhyQugsFCijJMMl713UQHkE/aPKXQhz3UsHieh4ZY6qfCMH3qlGkKTce8+YiGwRE+BEnjtKusxZbR6PeGKBq8KFTZixxE1LECC+cYjh3hu2KIS5Ik2qukHTFBuw+FO0XhNwm2Nkh+kfe15uE7a7rCYA7E4F4jQGyCDtuTKUZGULGB00nx/PFkQzfjY1MhD0DwXZZB1LHH4nxmc0HT8A4K2iHyOUibAbiwINKnQ3FtJOVRewSumYj6UYAsYlS2FDkBOI0doZ+RXijTFAiOozrAD3JF/rJtJP1AaIEWCycTO2IEQeEQGV+52YM+wqGrGD0jqjBxiJI3yKzDTGyiEUNGsQgCpoBGudGLKtho6Y4EKuKgBbQcRw2lQalTV6jCQrkc1YRP1lgidW5P1j359+R9R9/C2tn3ZtibTU8ZDV/y5ozrdEP+4FA7KHc6Tvc8KEQ6Rvc0KEG6RHczKPvaMdE
Source: adjthjawdth.exe, 8B6.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: adjthjawdth.exe, 76n.cs	Base64 encoded string: 'XoE04niGliUyZ/7Kh1E/etX1LbDQdn0SqqsV+nHFiulJwpj4TWlYfhbILcrts50jNhjqymYEoyjEk1K/gor9IYKDPMBinVNQuf7+WkAgd4AeWIRNOOhbKMdschDnwF0Pf0rdFc6+IvcVVZD4IsCqBKLo7TcZc9bx1XpHQdOSyRkWS31LyTPI/HXy8qfRLs5Yf9NWxaZUn7De8PWy24sFqeeIY/stvmkcjz3Kn4VEMZaySRI1Vmt7ZrqKxpJ9ZyyKEcHMdNq3xPhZ0GUFU45oYZYHWMHyHL06juvoZizqbrf6wDZKac/uJPN4sVw10keC'
Source: adjthjawdth.exe, 7YK.cs	Base64 encoded string: 'qeotofVvHlleEIn2uQ4cKeAMtCBfIQK4FgMaaVM/BiAfHHB4L/AARWx2/G94Z2OHKO6zCCkHM9O5+Ee/veQ7r5HswaulFST4Iz/f5taeVP0G4QHH+a7nvIL05KbPPyANnVfSjDoNmBbEqyErBYNlD/RRlhwossTOKfmwtxfQ9haE414fZppr+qUphKzmxtVviHzzBcD4BzCHNxDjdVxyxa00wPwGIs1LPOIaTYSOYA5YqrXIh034hXP3lTSsyCvSd5Jg1QIeDJJwInz/UbxtQZkQtpUJt/dfmpTdPSOI2js0BaSNgYkhwelNlCxC4jl5WJhxTF80xjW0Hv9ytyB/Zm1XYMwJIExDIpxglrOBO73cjb/0EGHT+IAcB72TFgNSNu1/+/OTpAAbviUjMaXIvH7YBRjeLzuW0ahg+UYuI5eJvPA7h1L81oU+LZvdzg5E4z2xzwIM6MmpetGLoc5mL22T+UBKUHO3huh0xUc920yiwLVmUc2zsUAPRG7Uicxq1gkqx7AlAfhZXz0IcQ3WG6HhJzqF4f/9aowzQyHLLQE=', 't4xzzBkmmZUATayewRC6F5clIQsbIDJvTUHkhGaQBzn53GgpWpEB79nxbLqiTJdiQjq8TO6q1w4PRgrCuDEd9HyTrTIVZ172WEpUZhVIsXKLFXf5eoyPEAjIuXRAFkQA'
Source: adjthjawdth.exe, 52Z.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='

Source: adjthjawdth.exe, m9F.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: adjthjawdth.exe, m9F.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.adjthjawdth.exe.2852348.20.raw.unpack, dc0734a88c317d004f0314d3047a1c4ad7007285ba8780cb0d5aad350c309a49f970517ef397a.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: mnazdyIV.log.0.dr, dc0734a88c317d004f0314d3047a1c4ad7007285ba8780cb0d5aad350c309a49f970517ef397a.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/9@0/0

Source: C:\Users\user\Desktop\adjthjawdth.exe

File created: C:\Users\user\Desktop\IqtvERdd.log

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\2bf94237ebff06b94f9063ab35428ef71d548cd35c74e903d7b57c39b44850b8
Source: C:\Users\user\Desktop\adjthjawdth.exe	Mutant created: NULL

Source: adjthjawdth.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: adjthjawdth.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\adjthjawdth.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Section loaded: ktmw32.dll	Jump to behavior

Source: adjthjawdth.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: adjthjawdth.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: adjthjawdth.exe, 1a2.cs	.Net Code: ghM System.Reflection.Assembly.Load(byte[])
Source: adjthjawdth.exe, 857.cs	.Net Code: _736

Source: C:\Users\user\Desktop\adjthjawdth.exe

Code function: 0_2_00007FF848E53CB9 push ebx; retf

0_2_00007FF848E53CBA

Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\EACFwUdk.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\cFHjtWCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\vWuPNbNC.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\IqtvERdd.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\oywAdRnV.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\dKSKtFsn.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\mnazdyIV.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\UbzuJcnG.log	Jump to dropped file

Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\IqtvERdd.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\EACFwUdk.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\vWuPNbNC.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\oywAdRnV.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\mnazdyIV.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\dKSKtFsn.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\cFHjtWCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	File created: C:\Users\user\Desktop\UbzuJcnG.log	Jump to dropped file

Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe	Memory allocated: 2550000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EACFwUdk.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cFHjtWCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vWuPNbNC.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IqtvERdd.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oywAdRnV.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dKSKtFsn.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mnazdyIV.log	Jump to dropped file
Source: C:\Users\user\Desktop\adjthjawdth.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UbzuJcnG.log	Jump to dropped file

Source: C:\Users\user\Desktop\adjthjawdth.exe TID: 2792

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe

Code function: 0_2_00007FF848E5EC5A GetSystemInfo,

0_2_00007FF848E5EC5A

Source: C:\Users\user\Desktop\adjthjawdth.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe	Queries volume information: C:\Users\user\Desktop\adjthjawdth.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\adjthjawdth.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\adjthjawdth.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: adjthjawdth.exe, type: SAMPLE
Source: Yara match	File source: 0.0.adjthjawdth.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2006586336.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: adjthjawdth.exe PID: 5820, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: adjthjawdth.exe, type: SAMPLE
Source: Yara match	File source: 0.0.adjthjawdth.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2006586336.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: adjthjawdth.exe PID: 5820, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
adjthjawdth.exe	100%	Avira	HEUR/AGEN.1309961
adjthjawdth.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\dKSKtFsn.log	100%	Avira	TR/AD.BitpyRansom.lcksd
C:\Users\user\Desktop\IqtvERdd.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\EACFwUdk.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\mnazdyIV.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\oywAdRnV.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\IqtvERdd.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\EACFwUdk.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IqtvERdd.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\UbzuJcnG.log	17%	ReversingLabs
C:\Users\user\Desktop\cFHjtWCn.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\dKSKtFsn.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\mnazdyIV.log	4%	ReversingLabs
C:\Users\user\Desktop\oywAdRnV.log	29%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565832
Start date and time:	2024-11-30 22:23:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	adjthjawdth.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 45 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: adjthjawdth.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\EACFwUdk.log	qNdO4D18CF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	iN1fhAtzW2.exe	Get hash	malicious	DCRat	Browse
	based.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	4Awb1u1GcJ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	rbCoIEGfDf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LWv5DuboZh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	rvNK8fDa0k.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	RustChecker.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	KPFv8ATDx0.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\adjthjawdth.exe.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.366581410225247
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4j:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAM
MD5:	289874BC03B0CB1B73F95A44E23B84A5
SHA1:	F275F15181639F5CF9D17D52B662078C7982BBE1
SHA-256:	0848F9D75F9CB57CB8505936C8D1806D4140BEFE2B169CD022ED97A6094B3F6F
SHA-512:	227F67091FEF053586FA6DE1BA1FC2AD7631694401727C3A9F53ABBA6B46574EE72612827CBE91A39AD55EE5B5FE9286E7B54DD8262D6B35B0FE3ACBE24697B4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\Desktop\EACFwUdk.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: qNdO4D18CF.exe, Detection: malicious, Browse Filename: iN1fhAtzW2.exe, Detection: malicious, Browse Filename: based.exe, Detection: malicious, Browse Filename: 4Awb1u1GcJ.exe, Detection: malicious, Browse Filename: rbCoIEGfDf.exe, Detection: malicious, Browse Filename: LWv5DuboZh.exe, Detection: malicious, Browse Filename: rvNK8fDa0k.exe, Detection: malicious, Browse Filename: RustChecker.exe, Detection: malicious, Browse Filename: KPFv8ATDx0.exe, Detection: malicious, Browse Filename: LzmJLVB41K.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\IqtvERdd.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\UbzuJcnG.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cFHjtWCn.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dKSKtFsn.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mnazdyIV.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oywAdRnV.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vWuPNbNC.log

Download File

Process:	C:\Users\user\Desktop\adjthjawdth.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.45778554132892
Encrypted:	false
SSDEEP:	384:O+EQ5SccsLOYWRl1U/JRZA6cBrhhptFFg96lB1Cev6xTu:5NlWNU/G6cbHblt/vl
MD5:	F6BA6A3BAE64426F936CA859866F594B
SHA1:	176047CACF3E8AF31DB121ADD21E122B192D8B62
SHA-256:	4B18BEB315D1D3C80B85F77CAFBD45199C68C11F422D6657355687310929B13E
SHA-512:	C7B3E09F57481CE131F3FDC3EFFBDACB38FBB3AC22BA88B5688182846F9AE413CA543666B85961364E823341B83CBDB97E0E48649677018C99B6CA2DA9BD0E4E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v9g...........!.....N...........l... ........@.. ....................................@.................................\|l..O.................................................................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............XL..x...................................................................................................................................................................(h7.......5....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.328365037455943
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	adjthjawdth.exe
File size:	909'312 bytes
MD5:	28aaa8f0b29a96138fd597975a16c5d4
SHA1:	b0ea5394610d089ab5248631a4c0f6666f79ffcd
SHA256:	2516d63aa8aef58d6f0a4e330bd87209872b0ff21a17cff5201a2d4783c5bfab
SHA512:	7feafb633d698a96d81fae7069ebc2492caa253ade2106a645353096e7855e9cf33a69307f71f253ebbb5b957abab0de608860cc5efb7a2196720c269f8c231d
SSDEEP:	12288:wAl1WPQtkQNQ6yMs/Ua+iXPrQfkXmm1RhdLB9XirkVknCBz9eQFZz//qK4oV4g50:wwFp5yMs/UFEPLZj956t1
TLSH:	CF15C72429EB003AF177AFB599D1349E9A6EF6F377079E8E305043C64712B80DD9163A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".................~.... ........@.. .......................@.......B....@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4df77e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdf72c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe0000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdd784	0xdd800	e433cc6a968f1c30faf4ee9a423fa83f	False	0.42980874365124155	data	5.3335179988311445	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe0000	0x370	0x400	df5bed93b5a9e86812000feef296611f	False	0.376953125	data	2.856785757722979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe2000	0xc	0x200	9ede4f3511eec98b05b839651fbdb2c7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0058	0x318	data			0.44823232323232326

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: adjthjawdth.exePID: 5820, Parent PID: 1028

General

Target ID:	0
Start time:	16:23:55
Start date:	30/11/2024
Path:	C:\Users\user\Desktop\adjthjawdth.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\adjthjawdth.exe"
Imagebase:	0x290000
File size:	909'312 bytes
MD5 hash:	28AAA8F0B29A96138FD597975A16C5D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000000.2006586336.0000000000292000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: adjthjawdth.exePID: 5820, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.8%
Total number of Nodes:	34
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF848E51EC3 Relevance: 15.2, Strings: 11, Instructions: 1498
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 00007FF848E51FC5
", xrefs: 00007FF848E52463
[, xrefs: 00007FF848E52567
{, xrefs: 00007FF848E52D06
[, xrefs: 00007FF848E52856
], xrefs: 00007FF848E525AB
}, xrefs: 00007FF848E52D4A
u, xrefs: 00007FF848E520EC
}, xrefs: 00007FF848E53200
], xrefs: 00007FF848E5289A
{, xrefs: 00007FF848E531BC

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID:
String ID: "$[$[$\$]$]$u${${$}$}
API String ID: 0-3490533229
Opcode ID: a58d022f74b162712db0c3c2b054cc58487be647bf06364a4e440ce242d16238
Instruction ID: 53706908c4d77f05438530c52a22100f5acad676781e1a954f7082a6075e0e21
Opcode Fuzzy Hash: a58d022f74b162712db0c3c2b054cc58487be647bf06364a4e440ce242d16238
Instruction Fuzzy Hash: 1DD2B370D196298FDBA8EF28C8947A9B7B1FF59341F5041EAD00DE7291CB35AA81CF44

Function 00007FF848E5EC5A Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00007FF848E5ED72

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 18681716d9ee3de75d7bfb35744e56e99cbb9edbb1d77f2c63491dcff8467c94
Instruction ID: a2690f2094df030d6b1976acfee2ae2a07177074ff322b289667ee0e3b06672d
Opcode Fuzzy Hash: 18681716d9ee3de75d7bfb35744e56e99cbb9edbb1d77f2c63491dcff8467c94
Instruction Fuzzy Hash: 47518B7090CA8C8FEB59EFA8D849AE9BBF0FB55310F14416AD00DD7292DB34A845CB50

Function 00007FF848E63415 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458871bc451f4086452e1ce660e47fdda26c2975e898cf69c1ecb1b13e80523c
Instruction ID: 7b3ae1d95a6e854a2b90a4866b1607954690033a556f5f14e37857f6e02436ea
Opcode Fuzzy Hash: 458871bc451f4086452e1ce660e47fdda26c2975e898cf69c1ecb1b13e80523c
Instruction Fuzzy Hash: C952297090861D8FDB58EF14C491BF9B7B2FF68344F6041ADD05EA7282CB39A946CB54

Function 00007FF848E5D04A Relevance: 1.8, APIs: 1, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FF848E5D252

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 6824c3e9744ceaa50b47560a854ef49e23503e140c90cbc5d8ff11cdb24e4d06
Instruction ID: c9d5509b1579e2d666161bf58f082f9d8ff9e2eae463a567533c8739fb623fc0
Opcode Fuzzy Hash: 6824c3e9744ceaa50b47560a854ef49e23503e140c90cbc5d8ff11cdb24e4d06
Instruction Fuzzy Hash: 30913670908A5C8FDB99DF58C894BE9BBF1FB6A310F1011AED04DE3291DB75A984CB04

Function 00007FF848E5D2F5 Relevance: 1.7, APIs: 1, Instructions: 219
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 00007FF848E5D479

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0e28d5d4851fd0a13a21647f8f561001f3eb7f89eac1e4e886fe7206853275b1
Instruction ID: dd1734d9f7af9590a60ee9bf6f91b6636786e735fb1836a97d6d336342ec4490
Opcode Fuzzy Hash: 0e28d5d4851fd0a13a21647f8f561001f3eb7f89eac1e4e886fe7206853275b1
Instruction Fuzzy Hash: AB611570908A5C8FDB98EF98C895BE9BBF1FB69311F1041AED04DE3251DB74A985CB40

Function 00007FF848EC0897 Relevance: 1.7, APIs: 1, Instructions: 151
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FF848EC09A1

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a102e4efd0519762fff518d8e4bd21d55863d06fcea60d76bc159e78a41f8782
Instruction ID: 50d068a4812f1cc149743231351894b79a20d17c39e82bcedb7478969048bcf7
Opcode Fuzzy Hash: a102e4efd0519762fff518d8e4bd21d55863d06fcea60d76bc159e78a41f8782
Instruction Fuzzy Hash: B6413974D08A5C8FDB98EF98D885AEDBBF0FB59310F10416AD40DE7252DB71A845CB44

Function 00007FF848E5EC91 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00007FF848E5ED72

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 43cc22925e5953ef5faaefc86a61df586a3b665c669674bbf3c532f73c3204f9
Instruction ID: 6a4f402a1362db15fb42fcf8f207ee10cde5ee836bdeae87924a433b622ef751
Opcode Fuzzy Hash: 43cc22925e5953ef5faaefc86a61df586a3b665c669674bbf3c532f73c3204f9
Instruction Fuzzy Hash: 55418E7090CA8C8FDB89EFA8D859BE9BBF0FB56310F1441ABD04DD72A2CA745845CB51

Function 00007FF848E5F0F5 Relevance: 1.4, APIs: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF848E5F229

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c140cd10ce3d44a2b5d1c9f3843cace94926914924c3844bfac68fcb74a0d05f
Instruction ID: fd6af4e0aad452975be63bba0ef3dbb891b6ff71738d4ac5e4411aa8ecab856b
Opcode Fuzzy Hash: c140cd10ce3d44a2b5d1c9f3843cace94926914924c3844bfac68fcb74a0d05f
Instruction Fuzzy Hash: 1A512A74918A5C8FDF58EF58D885BE9BBF0FB69311F1042AAD04DE3251DB70A981CB81

Function 00007FF849037618 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FF849037692

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 18de5f58bb7853f88cdee2834da9cc647c98a65c893ac77e496b02b4b95edbbf
Instruction ID: 2d9c42d100f70c9576cd15bf3ff1118fa3233ff28d2b438cc858b19fe0ecc143
Opcode Fuzzy Hash: 18de5f58bb7853f88cdee2834da9cc647c98a65c893ac77e496b02b4b95edbbf
Instruction Fuzzy Hash: F8516C31D0C68A9FDB69DFA9C4645BDB7B1FF89340F1441BAC00EE7282CA356905CB50

Function 00007FF849035082 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

;X, xrefs: 00007FF84903512A

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID: ;X
API String ID: 0-3174277730
Opcode ID: a3bb4e0d6d83bba6ed59dc2b19b3c9e311e48d377ffb24fce482b3c998da5691
Instruction ID: b52f0a252cafb48550535b1df125db3f8fda1b285a6dd7a1c2090732f2f49487
Opcode Fuzzy Hash: a3bb4e0d6d83bba6ed59dc2b19b3c9e311e48d377ffb24fce482b3c998da5691
Instruction Fuzzy Hash: D721D735E1895D9FDFA8EF58D4A5AEDB7F1FB59310F0041BAD00EE3291CA35A9818B40

Function 00007FF84903788F Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cb8f722eb39e332478e689826cc4878ce6fb8eaf00204f51553edc1aa79cb6
Instruction ID: 6541763c5165d218fe318638334f2ba6e9f1a4c59571c2cbf31b798108a39492
Opcode Fuzzy Hash: 35cb8f722eb39e332478e689826cc4878ce6fb8eaf00204f51553edc1aa79cb6
Instruction Fuzzy Hash: 0ED17D3052C5968FEB69DF19C4E06B537A1FF85350B5445BED84E8B68BCA38F881CB81

Function 00007FF8490378AF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b127501a63f7900d01974f415013136d1f55cdcd5e00ab55fc0e2c7857a411b
Instruction ID: b52f320ffa05798213a4ed5d7f728c0abe57dc0b16ecfefb4fd65dbfd42bc2b5
Opcode Fuzzy Hash: 1b127501a63f7900d01974f415013136d1f55cdcd5e00ab55fc0e2c7857a411b
Instruction Fuzzy Hash: 65C17C3052C5868FEB69DF19D4A06B537A1FF85350B5445BED84E8B68BCA38E881CB81

Function 00007FF84903719A Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b355dfbee4a7ca5578d87b28f43c6e6458681513b09b18a6b67a557176736648
Instruction ID: 48ea635042131cb96c57761230e77b1e882f3715edc6eaca5d2e24098d629527
Opcode Fuzzy Hash: b355dfbee4a7ca5578d87b28f43c6e6458681513b09b18a6b67a557176736648
Instruction Fuzzy Hash: C1B1E53090DAC69FEB69EF25C0906B4BBA1FF45340F5441BAD44EC7A86DB28F851CB91

Function 00007FF849034B97 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6d7e70107ae15225743658a70b18ae43baf743549553c112f6cf90b2a1724b
Instruction ID: 27cc86dc2a2ff5998ada212bc333a8a353567cb72f42015034dc8a241591ad52
Opcode Fuzzy Hash: 7b6d7e70107ae15225743658a70b18ae43baf743549553c112f6cf90b2a1724b
Instruction Fuzzy Hash: 4C21E222D0D6D39EFB79BFE658511B87A50AF012A4F2D01BBC04D8E0C3DD0CA8444792

Function 00007FF849036676 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e30b74e045e39cd6bac8b02ec2fe30970c605ef4abad805ce9f5f99dce0854
Instruction ID: a03f51324b10095ba4cd1034c0e9508be008d7b5c3950cc4e4670e9419ef3952
Opcode Fuzzy Hash: 09e30b74e045e39cd6bac8b02ec2fe30970c605ef4abad805ce9f5f99dce0854
Instruction Fuzzy Hash: 0E81253190CA828FEB38AF2994561797BE0EF46394F14467FD48FC3182DE29F8428752

Function 00007FF849034849 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 156bcc0a71697896fcccc93774daf23c3c36c107143273f8a1e2727ccd5b4258
Instruction ID: 0cd0b53eafbc7bdc8004d044e399ebc944bc279ce0c239fba22d239c108d27dc
Opcode Fuzzy Hash: 156bcc0a71697896fcccc93774daf23c3c36c107143273f8a1e2727ccd5b4258
Instruction Fuzzy Hash: 7771363590C5CA4FEF78FE5A88565B837D0FF453A0B1002BBD09ECB5A2DE18E8168781

Function 00007FF849031CE1 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561bb74882cd4352b422443048bc0a01c3c3a83a851f7cf6fae5c686fff6838b
Instruction ID: dc903d32da8ba7de87572ce8860b81986781769c8e9ca12ecb175933dd59ac99
Opcode Fuzzy Hash: 561bb74882cd4352b422443048bc0a01c3c3a83a851f7cf6fae5c686fff6838b
Instruction Fuzzy Hash: B471043590C98A8FEFF8EE09C8559B837E1FF5D351B14027BD49EC7592DA29E8068780

Function 00007FF849033259 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decfe364d698a4fb5c5763d1dea9626310b6281203059cc591f04884c56812f7
Instruction ID: 0b9a8fd5e40cd5458cefbe0721f48b1abb29d6ce74e67871b0e4c1de196e03aa
Opcode Fuzzy Hash: decfe364d698a4fb5c5763d1dea9626310b6281203059cc591f04884c56812f7
Instruction Fuzzy Hash: 6271067190C58B4FEF78FE1984965B437D0EF44390B5442BAD49EC75A2DE18E8168781

Function 00007FF8490388D1 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44e7a292662bb0c4be4edb25f6cc36fe43af94039e42c86f493a0fd311c2153
Instruction ID: b3f81efff05b13a46fa22fc3fe993bd642412ae6cde3747b7e95a4c93cdbc42a
Opcode Fuzzy Hash: d44e7a292662bb0c4be4edb25f6cc36fe43af94039e42c86f493a0fd311c2153
Instruction Fuzzy Hash: 2881AB3091CB868FEB79EF16D49557277E1FF44340B1449BEC88E87A96CA29F842CB41

Function 00007FF84903540B Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2f901e4d7f147a92303fc43d3274ed065ee882bfa1dc0aa440d88a28874a75
Instruction ID: a7ff0f80f713987d0ca078419f55dce66590b0d4750720aa9944de55d6ed90d9
Opcode Fuzzy Hash: df2f901e4d7f147a92303fc43d3274ed065ee882bfa1dc0aa440d88a28874a75
Instruction Fuzzy Hash: 2471B130D1D98A9EEF79EF6588556BDBBB1FF05384F5404BAD00ED71A2EE28E8418701

Function 00007FF849039556 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ba3689c383fcbb9b4bcbfb3f626e6f900fa2cadab44828a83fa15c38ce7a09
Instruction ID: 887f29e8558a8a46563c11d4f58b30fd6bc0a3036340fe5a6c80821477c2600b
Opcode Fuzzy Hash: 03ba3689c383fcbb9b4bcbfb3f626e6f900fa2cadab44828a83fa15c38ce7a09
Instruction Fuzzy Hash: 87517C30A099498FEFE4FB288055BB673D2EF58780F504579D40EC72A6DE39EC818B40

Function 00007FF84903427D Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08eb3fc21fc62f9c46b90e14493c8706b55801351804fe5fa32b86903836a76b
Instruction ID: 72d2d2288134f609dc69c8b9bd4b68664d28275476121ba4fbb9b4868a35b989
Opcode Fuzzy Hash: 08eb3fc21fc62f9c46b90e14493c8706b55801351804fe5fa32b86903836a76b
Instruction Fuzzy Hash: 2D519270A0895D8FDF94EF98D495AADBBF1FF69301F5001AAE00DE7291DB35A981CB40

Function 00007FF84903402D Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0f1fc543af5535959a10d06962fe5bdb24a16bab7484c4e0c7d35772f01d2c
Instruction ID: b9de2bca24f3b74765796ae778a6ce2b944a80ff3b76027d295cbee9c30350d9
Opcode Fuzzy Hash: aa0f1fc543af5535959a10d06962fe5bdb24a16bab7484c4e0c7d35772f01d2c
Instruction Fuzzy Hash: 01516E70D0DA5D8FDB64EFA8D8656BDBBB0FF55340F14017AD00D97292CA39A845CB41

Function 00007FF849038EF7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d196cfd523d0a1f229bc6c0c1dd853efd9d1648a4ed621fcde3ee881b0610b
Instruction ID: 15afae820d4baa7c0f71c0a383e42c19e769c2b864c8276faf0f9aca13d3f802
Opcode Fuzzy Hash: 41d196cfd523d0a1f229bc6c0c1dd853efd9d1648a4ed621fcde3ee881b0610b
Instruction Fuzzy Hash: B641A231A0C9498FDF98EF28D495EA5B3E1FB6D310B0445AAD04EC3596CE34E885CB85

Function 00007FF849038FA1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54daf766777fa92a10e1b82bab4c1ed777bafc07332ff2a5b9ff6a9b4aefcf78
Instruction ID: 25e4d879f822fe9af5ce8517201776bf4050d1ee1a18a8db92caa535daab9a60
Opcode Fuzzy Hash: 54daf766777fa92a10e1b82bab4c1ed777bafc07332ff2a5b9ff6a9b4aefcf78
Instruction Fuzzy Hash: 86317231A0C9458FDF9CEF28D4A5EA5B3E1FB6931070446AED04EC7596CE34E845CB85

Function 00007FF849038F3B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30788587da6d0a25ddf5619b985fedae0862ed6232609c90a8ff6fba586e87f7
Instruction ID: 4cba86426afa05e18e300cae24d9610e435508caa402fa22e753441f22ee7f1a
Opcode Fuzzy Hash: 30788587da6d0a25ddf5619b985fedae0862ed6232609c90a8ff6fba586e87f7
Instruction Fuzzy Hash: 25315231A0C9498FDF98EF28D055EA5B3E1FB6931070445AAD04EC7596CE34E885CB85

Function 00007FF849032EFA Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a09d2bfbaffb181424b9761f5f93e6af46e2088ef7a24880784695a5b9515b9
Instruction ID: 598388308b583c6775266d6b217623fe80416656ff060778c84a63bad87290fd
Opcode Fuzzy Hash: 8a09d2bfbaffb181424b9761f5f93e6af46e2088ef7a24880784695a5b9515b9
Instruction Fuzzy Hash: 9741E462D1EAC65FEB76AB3D98A50E53BA0FF12394F0840B7C04C8B0D3FD1898068744

Function 00007FF849037C20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a6def3ecb30467c364929390d3b3dfb94ffe8a2388bd24f89275552a87cc0e
Instruction ID: a52e9330c5b03248b020ae82896f645262e289fe82854d180b1fbfe9c9a1777e
Opcode Fuzzy Hash: e7a6def3ecb30467c364929390d3b3dfb94ffe8a2388bd24f89275552a87cc0e
Instruction Fuzzy Hash: A431043092C9DA8EEB79AA2884646B4B7A1FF94341F1445BFD04ECB187CD28B9858781

Function 00007FF84903607B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ba57657e7267135e99ba31c492b79a14f05d15bda9b8ad0459bb3ea0f56ff0
Instruction ID: 4070b2dee84f330d37c267e6c82805511735da673a5343ba87dc727b9cec93d3
Opcode Fuzzy Hash: c9ba57657e7267135e99ba31c492b79a14f05d15bda9b8ad0459bb3ea0f56ff0
Instruction Fuzzy Hash: 57315C71E1C95A9FDBA8EE68D4925A8B3E1FF58350B14417AC40ED3282DF24BC128B80

Function 00007FF849036B1E Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98c82ffa1a4a1892b7f38e2d098e12f1763c9fe61767531edf02d2b7f5ea65e
Instruction ID: bd5f34659bef8346e8de9c7d0f9a9e0abcbcbb0ba497bf0cd1fdf6f68d25efd8
Opcode Fuzzy Hash: b98c82ffa1a4a1892b7f38e2d098e12f1763c9fe61767531edf02d2b7f5ea65e
Instruction Fuzzy Hash: C631FF31A0D6868FEB75AE6AD4522F973A0EF50391F04817BD80EC7582DF2AE8548750

Function 00007FF8490306D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9902b4e71d7f887a245eef81a127383f668d523f989c26c2478b7b92157ae8
Instruction ID: abddf48bd00676e02675df70f391b2cf3396b1e5d85a2b48c65063174d7965d4
Opcode Fuzzy Hash: 0d9902b4e71d7f887a245eef81a127383f668d523f989c26c2478b7b92157ae8
Instruction Fuzzy Hash: E9310630D1C98A8FEFB8EF5594416BD77A1FF68380F5000B7D80ED2180DF38A9409A85

Function 00007FF849034102 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb668a3a2ad9db97fc3764b8c24c7a666567d3463b391eb8d8ea45d413d4d7c
Instruction ID: 536d2b632abf9f22bef01149ac3da33b6de1fa924d4d5ded61cbd2ebb28a5401
Opcode Fuzzy Hash: 7cb668a3a2ad9db97fc3764b8c24c7a666567d3463b391eb8d8ea45d413d4d7c
Instruction Fuzzy Hash: ED31B474E58A1D9FEB58EFA8D8A5AEDFBB1FF58341F504529D009E7282CB346841CB40

Function 00007FF849037BF0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19703c48023fd837ae7e96fe03dbecca656a86f9dc68523bf4c27b2d731b568c
Instruction ID: 819239e141cce150c2c0394793a27ab576062002299eb7af7e66b6077ec68877
Opcode Fuzzy Hash: 19703c48023fd837ae7e96fe03dbecca656a86f9dc68523bf4c27b2d731b568c
Instruction Fuzzy Hash: BF310B1092C5DA4EEB3A972548645747B91FFD234571846BFD08ECB4CBC82CF8859381

Function 00007FF84903453D Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd04b3859914850744de625686e8bac7643acb53aeb466a8c9bc1a3a29336db
Instruction ID: b326f418721feee54638a0a7e367ca31c35e22c93cc7dd0428f976e87c7ee1b9
Opcode Fuzzy Hash: 6fd04b3859914850744de625686e8bac7643acb53aeb466a8c9bc1a3a29336db
Instruction Fuzzy Hash: 08214A31E1C98D9FDFA4EF98D8505EDBBB1FF58340F50017AD00EE7682DA25A8458B50

Function 00007FF849036CA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c047a7dcd93bc7f5e0499a799494106250d8fcf288f496ee40d682b7f6d51
Instruction ID: c192891883d2241cf33ee2867ff85fe7edeeec82b8bb9fe79e83486009aab92c
Opcode Fuzzy Hash: dd2c047a7dcd93bc7f5e0499a799494106250d8fcf288f496ee40d682b7f6d51
Instruction Fuzzy Hash: DD11BF21E0DA8A4EEF75BF2694125BA73A0EF54391F04457BD44EC3182DE29F8458690

Function 00007FF8490319E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cf9a1f076a49573304495d82d83ba49c3bf1d42d461eadc2d908af8939d168
Instruction ID: 03b508cb06be7158e51f1bdaff5fc26324671fc274c653df57dc9db03863202b
Opcode Fuzzy Hash: 81cf9a1f076a49573304495d82d83ba49c3bf1d42d461eadc2d908af8939d168
Instruction Fuzzy Hash: 01119131D1DACA9FEBA9AB7898216F97BB0FF49345F0801B7C14DD61D3DE28A4058750

Function 00007FF8490305F8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a64c7ab769fbd3140759cb14f24757adcacea29a63440f443ff9b0102b4cf8
Instruction ID: a1bda6c99b212fb82998a04e37aae459d7e72186bdebb495a1db972ee7440f53
Opcode Fuzzy Hash: 97a64c7ab769fbd3140759cb14f24757adcacea29a63440f443ff9b0102b4cf8
Instruction Fuzzy Hash: CE011712E4D4E3CEFF787EE764612BC7550AF45B90F6506BBD40E8E1C68C4CA89522D2

Function 00007FF849036B09 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2892561fb84ed4b13b8acb98f61c4644195b5b4c7309d8b5fe87574012768573
Instruction ID: bb5cc4cbd49a8a410305d7c9eeda0029fbf578520553c665d323ec66af269f64
Opcode Fuzzy Hash: 2892561fb84ed4b13b8acb98f61c4644195b5b4c7309d8b5fe87574012768573
Instruction Fuzzy Hash: 3601F721E0E69A4FEF766E6564021B836A0EF522D2F084577D80DCB1C2CE2EE8148261

Function 00007FF84903888C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033be3c1397e0e947ec4eb217d460de4c799452b6d7cdbc686bfb11e897fa173
Instruction ID: f2c1d2639294957677671d0eb08c6e5c7283b7a98c4ca1a341955c779b524db8
Opcode Fuzzy Hash: 033be3c1397e0e947ec4eb217d460de4c799452b6d7cdbc686bfb11e897fa173
Instruction Fuzzy Hash: E401F131A4DB428FE774EF14D4905F4B3E0EF56364F4055BBC88A87A96DB68B8418740

Function 00007FF849033D73 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0658a8dbf45f76a858fca05dfa95c4186827172058811a77f3cdc898b1d45a8f
Instruction ID: 33999cd74261b4930a2c9e2dccf6101ec3500b2d9348c58b01409e585f18dc50
Opcode Fuzzy Hash: 0658a8dbf45f76a858fca05dfa95c4186827172058811a77f3cdc898b1d45a8f
Instruction Fuzzy Hash: A7016731D0D65D8EDF35FE56C442AFDB320EF51381F8001BAD04E57092DE7465888B90

Function 00007FF849035392 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9027ae7f0f93672c962066fdf2abaa8bcd95e5075a8b5a692b7a362b6379c6bc
Instruction ID: 04699f064476a2f2141b375b5c205dbfa363abaf1879214cf2e6f27e3011b29e
Opcode Fuzzy Hash: 9027ae7f0f93672c962066fdf2abaa8bcd95e5075a8b5a692b7a362b6379c6bc
Instruction Fuzzy Hash: 9CF0623284E2C59FD722DFB088555997FB4AF43244F1800FBD48ECB0A2D5AD9506D762

Function 00007FF849035004 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab40b81cadf332413923c6f9fa80ad76cfb806569a09a61855e2881a55e823d8
Instruction ID: bb853840254c5e19639a86a013b74d8e6c0118baba3102d44dd7ec71d2f6cafe
Opcode Fuzzy Hash: ab40b81cadf332413923c6f9fa80ad76cfb806569a09a61855e2881a55e823d8
Instruction Fuzzy Hash: 22011D70D0CA999FDFACDF1888657A9B7B1FB1A340F4405FAC00DD7692DA3599848F11

Function 00007FF849033DEA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd15763c4bcb3f2f513959910182d24a08cf8ff567daccb7ccb9465ebd4d4ca
Instruction ID: 826544e9eb5de60ac65d44f3edf6ff8e6c74709d1591acd1ffa70cfc04ba2dbc
Opcode Fuzzy Hash: 4fd15763c4bcb3f2f513959910182d24a08cf8ff567daccb7ccb9465ebd4d4ca
Instruction Fuzzy Hash: BDF0F831E0856D8EEF64EE45D890BFDB370EF55341F8014BAD04EA2181CEB4AA848F40

Function 00007FF849036AFB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e418f034c113abeba35c74f6b70d08fa3b1a8a95bdbfbefa2ab2130ea900fe4
Instruction ID: f89b1b429a2661500796f2011e7eb87ab4726e6f578f732fa90a79f6303ea431
Opcode Fuzzy Hash: 5e418f034c113abeba35c74f6b70d08fa3b1a8a95bdbfbefa2ab2130ea900fe4
Instruction Fuzzy Hash: EDD09210E0D9C78DFEB86F03803223A1AA25F02380F20043BC05F418C1CA1DF5816A11

Function 00007FF849036031 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcb884c0cf6e158b2f9f33d1552e2523819686d24b636deade3c94bd440e243
Instruction ID: 65464fb6f8fdebd01d494b1758fc46e56e7e7b5aa6c05bca7bbd9b0588f8cf5b
Opcode Fuzzy Hash: 6fcb884c0cf6e158b2f9f33d1552e2523819686d24b636deade3c94bd440e243
Instruction Fuzzy Hash: 16B01204F0C2835FFD743CF3044303C00800B052C0BA00933D20F562C3DC4CB8401650

Non-executed Functions

Function 00007FF849030EFA Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

52_^, xrefs: 00007FF849030F01

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID: 52_^
API String ID: 0-1890507545
Opcode ID: abdc65f627e7373af23e9615173ec643a966a3cfa8c00e8dfa90206daf262136
Instruction ID: 34fbe3c7a45bf596659f3cc44ed2c8472832e72ddcdd4f2f8c532a15e82cd6e2
Opcode Fuzzy Hash: abdc65f627e7373af23e9615173ec643a966a3cfa8c00e8dfa90206daf262136
Instruction Fuzzy Hash: 2691789388E5E27FE729BB39E4954F67F50EF1229870D41B7D08C4F093DD0CA4498A99

Function 00007FF849030888 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2b839eb0ee413120617cc218a893c3d4ac5391011d354cb0a2602ec461ea60
Instruction ID: 3e7fe8740af5a5c768a50b1b1313102047a55042d7b8f033ec0b0befe4e94af3
Opcode Fuzzy Hash: 4b2b839eb0ee413120617cc218a893c3d4ac5391011d354cb0a2602ec461ea60
Instruction Fuzzy Hash: CEE1AA9298F6D23ED71A7B78E4510F57F60EF03268B1D91F7D0CC89093DA18608AC7A9

Function 00007FF8490311FA Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b765b061b1688d2118f257477d926bee3ac3164c0e1ed886838042c31849b8a
Instruction ID: 3a194ea9df90499cfef2e4f99eb9dc9d77ec19b9f6d8b702334acc6ecf2db3b8
Opcode Fuzzy Hash: 6b765b061b1688d2118f257477d926bee3ac3164c0e1ed886838042c31849b8a
Instruction Fuzzy Hash: EBE1529288F6D23ED7177B78A4610F57F60EF07298B1D91F7D0CC8A093DA09A449C6A9

Function 00007FF849030D0D Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5c1555efa28f80afaa2ea7d5ec60eb4e716f9b51289ebbebce3ea88f76113b
Instruction ID: 659ca7587682a1beef25674012e4b220aa13d9ef91d157e96ff3488bab13c596
Opcode Fuzzy Hash: ee5c1555efa28f80afaa2ea7d5ec60eb4e716f9b51289ebbebce3ea88f76113b
Instruction Fuzzy Hash: A9D1A79388F6D27FD725BB39E4A54F27F60EF1229871D41B3D08C4B093DD08A45ACA59

Function 00007FF8490324F8 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cf82f1590a13dba006381b18e83d9a5e0f2f8cbd6061b874019b2f2bb1dac5
Instruction ID: b410136172e2097e3baf385d17fe32b7f2f99a5d28065c4b92211cf2df54da4c
Opcode Fuzzy Hash: 07cf82f1590a13dba006381b18e83d9a5e0f2f8cbd6061b874019b2f2bb1dac5
Instruction Fuzzy Hash: 74A1F99298FBC27EE727777CA8A10F13FA0EF0229871D40F7D0CC8A093ED1964568659

Function 00007FF848E5DDAD Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023270449.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e50000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732238fc736aa550616dfb9e81b18480860b4e15ebab731eeecf8d4bfb972c04
Instruction ID: 83be6a614c2146fb389567984c7abb6c37c1eceb93323d9d6c0375af9074b655
Opcode Fuzzy Hash: 732238fc736aa550616dfb9e81b18480860b4e15ebab731eeecf8d4bfb972c04
Instruction Fuzzy Hash: 5B817070908A8D8FDBA8EF18C8457E977E1FF59350F10413AE80DC7292DB74A985CB91

Function 00007FF849030AD3 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0706d0df27eba79d225f3557e0975d9c0a15e436edd0dbaa2a582fccd0c04faf
Instruction ID: b4ebe75bfd7d479507675a40bf56b1d5d11af4e1c4738092668e29f9c47b960b
Opcode Fuzzy Hash: 0706d0df27eba79d225f3557e0975d9c0a15e436edd0dbaa2a582fccd0c04faf
Instruction Fuzzy Hash: 2161D79698F6D63DD71A3778A4210F53F60EF47268B1C51F7D0C889093D908648AC7A9

Function 00007FF849030AFB Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2024030533.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849030000_adjthjawdth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5cb26ae9dbab4290385c5bb35868b3d912ef41ce9ed6b971de6ba4da1d1676
Instruction ID: a7eedf6b9928ed29b4759de10008329b2a3a0fe350ea69061438e13adecde5b0
Opcode Fuzzy Hash: 8e5cb26ae9dbab4290385c5bb35868b3d912ef41ce9ed6b971de6ba4da1d1676
Instruction Fuzzy Hash: 5B61B59698F6D23DD71A77B8A4110F53F60EF47268F0C91F7D0C889093DA186489C7A9

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report adjthjawdth.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\adjthjawdth.exe.log

C:\Users\user\Desktop\EACFwUdk.log

C:\Users\user\Desktop\IqtvERdd.log

C:\Users\user\Desktop\UbzuJcnG.log

C:\Users\user\Desktop\cFHjtWCn.log

C:\Users\user\Desktop\dKSKtFsn.log

C:\Users\user\Desktop\mnazdyIV.log

C:\Users\user\Desktop\oywAdRnV.log

C:\Users\user\Desktop\vWuPNbNC.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
adjthjawdth.exe

Function 00007FF848E51EC3 Relevance: 15.2, Strings: 11, Instructions: 1498
COMMON

Function 00007FF848E5EC5A Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Function 00007FF848E5D04A Relevance: 1.8, APIs: 1, Instructions: 293
COMMON

Function 00007FF848E5D2F5 Relevance: 1.7, APIs: 1, Instructions: 219
fileCOMMON

Function 00007FF848EC0897 Relevance: 1.7, APIs: 1, Instructions: 151
threadCOMMON

Function 00007FF848E5EC91 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON