Edit tour

Windows Analysis Report
hjgesadfseawd.exe

Overview

General Information

Sample name:	hjgesadfseawd.exe
Analysis ID:	1565861
MD5:	ef75329efa1fa3cff64a2249e8b59306
SHA1:	90db5c089347c52e7aeddbe97a652b0dc622b840
SHA256:	6024771adfff13a50785d4bca819c583db42a5671d86bc6ac517c3620d931259
Tags:	exeuser-aachum
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hjgesadfseawd.exe (PID: 6024 cmdline: "C:\Users\user\Desktop\hjgesadfseawd.exe" MD5: EF75329EFA1FA3CFF64A2249E8B59306)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://5.252.155.17/3/Proton9Packet/CpuBase5/testBetterlongpollwindows/downloadsGamebetter/Dle/2jsvoiddb/Videodb/wordpresstemp/4Asyncrequest/poll1/httppacketbigloadSqluniversal", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hjgesadfseawd.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2009863797.0000000000572000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: hjgesadfseawd.exe PID: 6024	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.hjgesadfseawd.exe.570000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hjgesadfseawd.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\qRsgQELG.log	Avira: detection malicious, Label: TR/AD.BitpyRansom.lcksd
Source: C:\Users\user\Desktop\NYVCrGVP.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\RHcbTTvC.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb

Found malware configuration

Source: hjgesadfseawd.exe

Malware Configuration Extractor: DCRat {"C2 url": "http://5.252.155.17/3/Proton9Packet/CpuBase5/testBetterlongpollwindows/downloadsGamebetter/Dle/2jsvoiddb/Videodb/wordpresstemp/4Asyncrequest/poll1/httppacketbigloadSqluniversal", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\NYVCrGVP.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\RHcbTTvC.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\hnkqgLvZ.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\qRsgQELG.log	ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\zzLwAhQo.log	ReversingLabs: Detection: 29%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\NYVCrGVP.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\zzLwAhQo.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\yuAVAyan.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hjgesadfseawd.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: hjgesadfseawd.exe	String decryptor: {"0":[],"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive","_1":""},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"a16c206c-6675-4a07-b8b3-f396ed5c6bae":{"_0":"RU;BY;KZ;UA;AM;AZ;KG;MD;TJ;UZ;TM","_1":"Allow"}}
Source: hjgesadfseawd.exe	String decryptor: ["bKZ2ORpicwitvmDtDSy5iOgGTtdL2AFOIhb6ZmuwJ4jkKbyZ1WzItxwNnTifydpbrTkOLGTahCvno6614ETfL7fVuNSGEP7pOH301jNvDYkqBIirXqkuJKQtyPe7yNWR","584667a1205cae7f6d46624a92e99b079bebeac49e98309173a9eb83ef9ffccd","1","","","5","2","WyIzIiwie1NZU1RFTURSSVZFfS9Vc2Vycy97VVNFUk5BTUV9L0FwcERhdGEvTG9jYWwvc3RhdGljZmlsZS5leGUiLCI1Il0=","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: hjgesadfseawd.exe	String decryptor: [["http://5.252.155.17/3/Proton9Packet/CpuBase5/testBetterlongpollwindows/downloadsGamebetter/Dle/2jsvoiddb/Videodb/wordpresstemp/4Asyncrequest/poll1/","httppacketbigloadSqluniversal"]]

Source: hjgesadfseawd.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: hjgesadfseawd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Code function: 4x nop then jmp 00007FF848F2DFC6h

0_2_00007FF848F2DE01

System Summary

.NET source code contains very large strings

Source: hjgesadfseawd.exe, s67.cs

Long String: Length: 205744

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF848F33415	0_2_00007FF848F33415
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF848F21EC3	0_2_00007FF848F21EC3
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF8491011FA	0_2_00007FF8491011FA
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF849100AD4	0_2_00007FF849100AD4
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF849100D0D	0_2_00007FF849100D0D
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF8491024FA	0_2_00007FF8491024FA
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF849100888	0_2_00007FF849100888
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF8491020C2	0_2_00007FF8491020C2
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF8491020F2	0_2_00007FF8491020F2
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF849100EFA	0_2_00007FF849100EFA
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Code function: 0_2_00007FF849100FF2	0_2_00007FF849100FF2

Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\IdUljafV.log 4B18BEB315D1D3C80B85F77CAFBD45199C68C11F422D6657355687310929B13E
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\NYVCrGVP.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A

Source: NYVCrGVP.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RHcbTTvC.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: zzLwAhQo.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: yuAVAyan.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qRsgQELG.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hnkqgLvZ.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: hjgesadfseawd.exe, 00000000.00000002.2022485525.0000000001072000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs hjgesadfseawd.exe
Source: hjgesadfseawd.exe, 00000000.00000002.2022225026.0000000000FB8000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenamehC5ZBAGhgeGr91UA4g4aLnitDd8fsaPt4 vs hjgesadfseawd.exe
Source: hjgesadfseawd.exe, 00000000.00000002.2022564303.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs hjgesadfseawd.exe
Source: hjgesadfseawd.exe, 00000000.00000000.2009863797.0000000000572000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs hjgesadfseawd.exe
Source: hjgesadfseawd.exe, 00000000.00000002.2022564303.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs hjgesadfseawd.exe
Source: hjgesadfseawd.exe, 00000000.00000002.2022564303.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs hjgesadfseawd.exe
Source: hjgesadfseawd.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs hjgesadfseawd.exe

Source: hjgesadfseawd.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: hjgesadfseawd.exe, E32.cs	Cryptographic APIs: 'TransformBlock'
Source: hjgesadfseawd.exe, E32.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: hjgesadfseawd.exe, E32.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: NYVCrGVP.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RHcbTTvC.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IdUljafV.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: zzLwAhQo.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: yuAVAyan.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: qRsgQELG.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: hnkqgLvZ.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: hjgesadfseawd.exe, s67.cs	Base64 encoded string: 'H4sIAAAAAAAEAAH4Awf8p//u/dq6v8/Gg4DV39yO09jA39yWyN/Hw5fO2sGdn83RnM2bZmRjYTdgZzZtKzBwLlI+LSozQWpnYXN6OH1ocmp4PDMCfhMBHgcEWgQLGRofFBtKU1UfB1FQUhoMAVgCEVwKCCZsenIgJyUkcH0pKCgrbHUrcw1jdm90AyosP3lwfwFuQltADQ8HDw8OCw8ECwwLDh8UGh8RExgcFx0YHhoaDhjr7+y5yeDy5sXo+eDQ4+vl8vD+8fX++ef0+vL3+/X7/MTAzs7BwMPGwsfDxsTAlOLVxdP+1cbd69bQ2NXZ19rZqqyvqLSmqKu4rKigoKCgpL+0vbq8urCyu+OOqbOzkraOir6NgouMj4WCgoOBhoyFm5qTkZqRlZmWlp2am5KZnW5kZ2A+V2lpYWdWZWdnY2B/eX50e351dHd9c3h2d3h6QkdNTkhHSk1PT0JAFn9BQVlfbl1SXVRYUFBXWllRXFAoMSghJikiJCYuKSUtPSArPzU4I24XPzk5Nzk+HzU/Ng49DAECCwcCBAQFBgkEAwccAR8UHhscGAgREgsXFhET6vHjudTt5+n85ufX4uP+5+D94vT79P3/8PP58/f29vLJxsXCz8zMycPBzMXIl/rg/ubX0ejb0NHW29/X2tnR2qmuqqaqrqyuqqenqqinp6q4u7qyvrfsjrertbKAs7+0j4iDioaLg5eLjI6InIGHhZ2Yk56alJ+QmpyKlp+fxKZvc21qWGtnYWpqaGF8b35pcXV+eHl9e3R0cXF+eXJ6ckFMQUVIRhxqSV1CfE1BQkpEbVxbWlNXWVNXVVhaWFFZIiUmJCcsLCklISQtIiYqITEwNmkXOj85OjgpPgAzNzIMDgsFDwIMBg8OAgUCDgQEGBYVFxwUGhobFxwQEBZEK/Lk+Oz21cvb5uDm7O/j5ur84fH7+vbz8vHp8+v19//zysrAz8bGycXEk+3q2dnG897e19/e0drTyNfX397e1tCuqKevraGhqKqtrq2qq6KuvOuXnIeJuLSyvLa9rLGus4WDhomOgIiLhJmAiI6Bg4Wbl5GVkpuTzbKYgoOwlJyacnV7X2ppYWp4anpsYH1gaHR+c392cnN4dH1/enZ7fXNOSUNFRR91Rk5MekpAcUBOWF5eQ1JRX1ZUU11RWlVRUikpKSkmKCEtIS0mKCgjIXUVKT03ISZ0e3oGaHlmfx8zDEE3EAEXFUVESzVYTldMOwIEF1EJWVQWSU8ZSUxLHVK2t7W2qbHnt7+k6LPuvqPpo6ik9vCg9aH6+P+5pua8wJCDmIH28J3l8ZLh8Zf475Tx/Iny7o798IP0/oDo94XqmvqWjubp5Jj56/DpjaGioKfzr65M0A2y+AMAAA==', 'H4sIAAAAAAAEADSbx3KDyhKG3+VuWZDTUoicM4izIuecefqDT9V1VbsseZgZMd1//59k//PP/0RslT7//zIumkHL1M5UhNSePZHldkmVtZwh/6oUNd8yRms+zun8opaD7hguo1U+Jb3/RDfkVFduj+Upsr/fU7ns4rQedGL51ygkVr5O8Tt9zSH6PL+CRH2NNJ4ZDytyN0lwL8iBBsyN9rMwQpaZ2MkZnZABvYGx7hVsDouqRJR0pGoQg/3iQIvPMfuXgS1ejmnmYspmhMkPcjvGYAcZiKa5j4iPvCG2iWhxaPaZhhwDiltgcjf45pp9Z4AQTpIwA9p6YZRYGvJjwAficGzLt3RNea7DRa6mCT2E3h+LrHQ92b7ENrTl/HlKqioaSKLXITlnUs3rSaVn8OFPkFWvefGWRRgUb5xACgSygjyPh7aOYx21jZo379MsoDXaCVCp4EKP4MiHGvepwgyufoVpAs0PKFwUwZEtGxGXTkn1ty9nnqFPNH0LAouRkRDIfFDPa1NBrNAMY7lVTtpXY9BzDlwqMmKKJ/NEx3481/epe7sL/usBASyunQhificCYwH2fqd//cKcP8FMEAc/zyvdbMEgfNMCKkT4BxNaY/5yiY7BPDdtV37AaCfwprvpo+gHXk33fTjycEcBfBVFVXNBqigsmERpGGdpwQ/HAgWdw7cLsjsWlV+e5w5iVLw8SvZ510CKu7MNtNgD48moLM1H4Ln3Ai5oCgGJZ0CJcwvhL7AMfkg/J4QR5IbfCIWB7wFtW0oFBb3gM/keTCjgQAaCSoHgzr4LCY9jk3IAEIUr2TgApLqY2/Mxlp3I881IEws/DBM1UxzMPJqD5IMk+t1BoP4h15LL8kMYCKwOD7EoGA5es7VgOzPGwEKnD/MhR4ClRLLZkV/RlDFAU6SmoThVCCbKGkhooDtwlGESHg4RbWsG0NNDUZE5JDFIWX0RxuO47vNzNCOSDldGETRGD7wLQssFvTeEdHCFSTxi1+pUjFQMTKlqecaED1UXnHo4A41dzOBJOwRSrBpdULPtmRIUKswInfe4wZE2RdAieb7e8TWIhyQugsFCijJMMl713UQHkE/aPKXQhz3UsHieh4ZY6qfCMH3qlGkKTce8+YiGwRE+BEnjtKusxZbR6PeGKBq8KFTZixxE1LECC+cYjh3hu2KIS5Ik2qukHTFBuw+FO0XhNwm2Nkh+kfe15uE7a7rCYA7E4F4jQGyCDtuTKUZGULGB00nx/PFkQzfjY1MhD0DwXZZB1LHH4nxmc0HT8A4K2iHyOUibAbiwINKnQ3FtJOVRewSumYj6UYAsYlS2FDkBOI0doZ+RXijTFAiOozrAD3JF/rJtJP1AaIEWCycTO2IEQeEQGV+52YM+wqGrGD0jqjBxiJI3yKzDTGyiEUNGsQgCpoBGudGLKtho6Y4EKuKgBbQcRw2lQalTV6jCQrkc1YRP1lgidW5P1j359+R9R9/C2tn3ZtibTU8ZDV/y5ozrdEP+4FA7KHc6Tvc8KEQ6Rvc0KEG6RHczKPvaMdEk38OgUKtf45baWbs3/Ub+3kNFpN/HQaBM6XTjrtrlocJ7dxheBFEslLm3JJCbsTx
Source: hjgesadfseawd.exe, 8B6.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: hjgesadfseawd.exe, 76n.cs	Base64 encoded string: 'Iqh1IxB9hJA37k1KVpEvD4ofVkEVYfXBCz1JKIaQp9q9umzJVNKZLbyiqF5ierQR8j4UayMDZ8CdzhNLh53RQu9SNPWV/Dl6/OnT2hxByD3XDQNrcWy5CZPS6UZgvQwIykaoWysUdGXH16qyYLxXeBMbi9zgkFAqHJqD9bs4O7nlKPEJXAXvr1ROjKirwADI5KT0oqKurX7jIrbW5kpefPRt2Oz9+K2S+AFrFnd8TnsgC7EfAx0XUvWhqAQ6RZhhJ3xm7PX8Hrf2obr35qFuoZ1WobAvkRpi4myhBgAZmal4OqmN7OxmI2B4RFLMxOIp'
Source: hjgesadfseawd.exe, 7YK.cs	Base64 encoded string: 'KbQNyuK5xG79Z2gU7QrLEF0qFy5TuewzPpSmnoebhbzk1FxktUEYPclIG+nMwEqHjaJeR19bkn3+9h3sdkOFLMEGlksCHi1ripptBOxw8RmUvCNFEcGwXI7hCriNLNFZlsWfVAyyOGnomFizVGXsWWhFpiVKEnoYxa7Psg3xOHDr2NEY1cmh1MkRGWNJeStn6kp49geem4a1zK6SfU++VTCdsmsfl6vYaP+fykW+opMt7ENqZNSHGAKe9+/3kOWPzvVITd9vnMtDSSbuhPmTtN8qKmZcKX+dI2brAyGgLMfOoDbkl2zwyo4Hi4wMhA5fDPDEydJj0VAE9rgzQo7rdlaJOSO9jJUpEskG28ts71i2i4jyJsGhi2Y8MlkJQFiEHnVVpCIk0OVwbTo80YmgjQNx2OEPitGeCbHVjFCBN3svlc544a4xH1RSgAP4ZlVW3vAcCMFVn9CTsgHki/f8t+bK/ZPpLoZr18PgFcpCeksMHp8W93QoyTJ4G9GKEv3xp6IOgV7OZ+VkMWblPiUuit5ldrZrQFH9IhG4VNiKuGoVsL+ctLI1sBg2wTwnu9jHBT4qq5/baRhZunnY4WSGKNtADl0CIgCn7aKqb9O+QDoGxovKBUJbbbVoeMnd6qtzixQPtgiAsmMb70hDcXtx1E3mBjCk1BT/eqPp7t5LAwnHJ6xodvTj/vRLFQTmyDAYO6MqNZYANZYAYeBTvBplcToSUhXw5LQopVAzJ0U5twwMhdrWiBzUvPS/iK5rdzvRUZtA6AzKMeTWGFxu8dDa09Vv5z+TvoFEMiBKdhuwKagZFIlxBTbxxMZ6eQqAKjCo8iMI+G/lae1cnr2VR5dE0TO9yfWclHVGMaR1WIDp7lwXiJgLbameFVIxyVWCzXCELukRZKKlO/jR69ua+vJbrGKMDEV0TxxeqUK0FkwcMpJOAnl3eJ6OsEmU8xv6WWA2ZxJ8fNpGfpXDtF1Uo7AT6cIq8SZmiuJpzTUdo2Q/Vl3C/+bHFg0sXQunISNp8+T3BfW2fUId9HbnHwFETF5U3ehCWa2PTCBmm9P3wkUWOlOQSGkCJ47Fc74xKAyxPzaS/mHFGXWTkinZ92k1Qh2XKUwkSwWwLzeLf/KEmaq5Jz5b3IzjrRUhf06XZWsejvw3'
Source: hjgesadfseawd.exe, 52Z.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/9@0/0

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

File created: C:\Users\user\Desktop\NYVCrGVP.log

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\584667a1205cae7f6d46624a92e99b079bebeac49e98309173a9eb83ef9ffccd

Source: hjgesadfseawd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hjgesadfseawd.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Section loaded: ktmw32.dll	Jump to behavior

Source: hjgesadfseawd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hjgesadfseawd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: hjgesadfseawd.exe, 1a2.cs	.Net Code: ghM System.Reflection.Assembly.Load(byte[])
Source: hjgesadfseawd.exe, 857.cs	.Net Code: _736

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Code function: 0_2_00007FF848F23CB9 push ebx; retf

0_2_00007FF848F23CBA

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\IdUljafV.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\hnkqgLvZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\RHcbTTvC.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\fdOpgtQY.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\qRsgQELG.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\zzLwAhQo.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\yuAVAyan.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\NYVCrGVP.log	Jump to dropped file

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\NYVCrGVP.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\RHcbTTvC.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\IdUljafV.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\zzLwAhQo.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\yuAVAyan.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\qRsgQELG.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\hnkqgLvZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	File created: C:\Users\user\Desktop\fdOpgtQY.log	Jump to dropped file

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Memory allocated: B80000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Memory allocated: 1A9B0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IdUljafV.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hnkqgLvZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RHcbTTvC.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fdOpgtQY.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qRsgQELG.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zzLwAhQo.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yuAVAyan.log	Jump to dropped file
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NYVCrGVP.log	Jump to dropped file

Source: C:\Users\user\Desktop\hjgesadfseawd.exe TID: 3136

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Code function: 0_2_00007FF848F2EC5A GetSystemInfo,

0_2_00007FF848F2EC5A

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Queries volume information: C:\Users\user\Desktop\hjgesadfseawd.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\hjgesadfseawd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\hjgesadfseawd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: hjgesadfseawd.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hjgesadfseawd.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2009863797.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hjgesadfseawd.exe PID: 6024, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: hjgesadfseawd.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hjgesadfseawd.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2009863797.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hjgesadfseawd.exe PID: 6024, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hjgesadfseawd.exe	100%	Avira	HEUR/AGEN.1309961
hjgesadfseawd.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\qRsgQELG.log	100%	Avira	TR/AD.BitpyRansom.lcksd
C:\Users\user\Desktop\NYVCrGVP.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\RHcbTTvC.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\NYVCrGVP.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\zzLwAhQo.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\yuAVAyan.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\NYVCrGVP.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RHcbTTvC.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\fdOpgtQY.log	17%	ReversingLabs
C:\Users\user\Desktop\hnkqgLvZ.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\qRsgQELG.log	33%	ReversingLabs	Win32.Ransomware.Bitpy
C:\Users\user\Desktop\yuAVAyan.log	4%	ReversingLabs
C:\Users\user\Desktop\zzLwAhQo.log	29%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565861
Start date and time:	2024-11-30 22:50:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hjgesadfseawd.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 46 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: hjgesadfseawd.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\NYVCrGVP.log	adjthjawdth.exe	Get hash	malicious	DCRat	Browse
	qNdO4D18CF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	based.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	4Awb1u1GcJ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	rvNK8fDa0k.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	KPFv8ATDx0.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	T0jSGXdxX5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	main.exe	Get hash	malicious	DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse
C:\Users\user\Desktop\IdUljafV.log	adjthjawdth.exe	Get hash	malicious	DCRat	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hjgesadfseawd.exe.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.366581410225247
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4j:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAM
MD5:	289874BC03B0CB1B73F95A44E23B84A5
SHA1:	F275F15181639F5CF9D17D52B662078C7982BBE1
SHA-256:	0848F9D75F9CB57CB8505936C8D1806D4140BEFE2B169CD022ED97A6094B3F6F
SHA-512:	227F67091FEF053586FA6DE1BA1FC2AD7631694401727C3A9F53ABBA6B46574EE72612827CBE91A39AD55EE5B5FE9286E7B54DD8262D6B35B0FE3ACBE24697B4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\Desktop\IdUljafV.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.45778554132892
Encrypted:	false
SSDEEP:	384:O+EQ5SccsLOYWRl1U/JRZA6cBrhhptFFg96lB1Cev6xTu:5NlWNU/G6cbHblt/vl
MD5:	F6BA6A3BAE64426F936CA859866F594B
SHA1:	176047CACF3E8AF31DB121ADD21E122B192D8B62
SHA-256:	4B18BEB315D1D3C80B85F77CAFBD45199C68C11F422D6657355687310929B13E
SHA-512:	C7B3E09F57481CE131F3FDC3EFFBDACB38FBB3AC22BA88B5688182846F9AE413CA543666B85961364E823341B83CBDB97E0E48649677018C99B6CA2DA9BD0E4E
Malicious:	true
Joe Sandbox View:	Filename: adjthjawdth.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v9g...........!.....N...........l... ........@.. ....................................@.................................\|l..O.................................................................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............XL..x...................................................................................................................................................................(h7.......5....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NYVCrGVP.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: adjthjawdth.exe, Detection: malicious, Browse Filename: qNdO4D18CF.exe, Detection: malicious, Browse Filename: based.exe, Detection: malicious, Browse Filename: 4Awb1u1GcJ.exe, Detection: malicious, Browse Filename: rvNK8fDa0k.exe, Detection: malicious, Browse Filename: KPFv8ATDx0.exe, Detection: malicious, Browse Filename: LzmJLVB41K.exe, Detection: malicious, Browse Filename: T0jSGXdxX5.exe, Detection: malicious, Browse Filename: s5duotgoYD.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\RHcbTTvC.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\fdOpgtQY.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.535426842040921
Encrypted:	false
SSDEEP:	384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
MD5:	5420053AF2D273C456FB46C2CDD68F64
SHA1:	EA1808D7A8C401A68097353BB51A85F1225B429C
SHA-256:	A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
SHA-512:	DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hnkqgLvZ.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qRsgQELG.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.492504448438552
Encrypted:	false
SSDEEP:	384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
MD5:	0EEEA1569C7E3EBBB530E8287D7ADCF9
SHA1:	3C196FA10144566EBFBEE7243313314094F3A983
SHA-256:	57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
SHA-512:	1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yuAVAyan.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zzLwAhQo.log

Download File

Process:	C:\Users\user\Desktop\hjgesadfseawd.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.325710693812368
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	hjgesadfseawd.exe
File size:	910'336 bytes
MD5:	ef75329efa1fa3cff64a2249e8b59306
SHA1:	90db5c089347c52e7aeddbe97a652b0dc622b840
SHA256:	6024771adfff13a50785d4bca819c583db42a5671d86bc6ac517c3620d931259
SHA512:	73cf385ce56147f4c7862ef90cda59c947408dc0bf82c9d0c4b503bb53266d62763c79759235ee20e07b6e36cb50c123facab185d099e397daf0574eb586302f
SSDEEP:	12288:kzw1NV5Il51mx6vEiss/VRqyAk9wiXPrQfkXmm1RhdLB9XirkVknCBz9eQFZz//q:kc8Xh/VAyAksEPLZj9H6t1
TLSH:	1615C72429EB003AF177AFB599D1389EDA6EF6F377079E8E305042C64712780DD9163A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."...................... ........@.. .......................@.......!....@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4dfb8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdfb3c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe0000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xddb94	0xddc00	1aaed6a704ca4090389bdfbd0ec49d8d	False	0.42992641100620066	data	5.33082485473754	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe0000	0x370	0x400	df5bed93b5a9e86812000feef296611f	False	0.376953125	data	2.856785757722979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe2000	0xc	0x200	c2dc2a1743d6632a0c193cbd46a9cafe	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0058	0x318	data			0.44823232323232326

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: hjgesadfseawd.exePID: 6024, Parent PID: 1028

General

Target ID:	0
Start time:	16:50:56
Start date:	30/11/2024
Path:	C:\Users\user\Desktop\hjgesadfseawd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\hjgesadfseawd.exe"
Imagebase:	0x570000
File size:	910'336 bytes
MD5 hash:	EF75329EFA1FA3CFF64A2249E8B59306
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000000.2009863797.0000000000572000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: hjgesadfseawd.exePID: 6024, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.3%
Total number of Nodes:	35
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF848F21EC3 Relevance: 16.5, Strings: 12, Instructions: 1538
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 00007FF848F22856
\, xrefs: 00007FF848F21FC5
[, xrefs: 00007FF848F22567
", xrefs: 00007FF848F22463
H, xrefs: 00007FF848F22ED1
], xrefs: 00007FF848F2289A
{, xrefs: 00007FF848F231BC
u, xrefs: 00007FF848F220EC
{, xrefs: 00007FF848F22D06
}, xrefs: 00007FF848F22D4A
}, xrefs: 00007FF848F23200
], xrefs: 00007FF848F225AB

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID: "$H$[$[$\$]$]$u${${$}$}
API String ID: 0-2063274034
Opcode ID: ab52cd69f857de5d69ed855666cfea8f24d8c7dab2650917622b4d49b7abcf05
Instruction ID: f1418766a7fd7ce7534d2eb8b238b025f8e23178bb46166da5a23ea1e23ceb90
Opcode Fuzzy Hash: ab52cd69f857de5d69ed855666cfea8f24d8c7dab2650917622b4d49b7abcf05
Instruction Fuzzy Hash: 6BD2C370D196298FDBA8EF28D8947A9B7B1FF58341F1045EAD00DE3291CB35AA81CF54

Function 00007FF848F2EC5A Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF848F2ED72

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5b93b2233c470719710ca870dbb1afdfebdfd00015fc5138d1b437249691ba9d
Instruction ID: 7ba398de8159461bd600c7bfa76affde81b069973b7e1260b060637fb18cbae7
Opcode Fuzzy Hash: 5b93b2233c470719710ca870dbb1afdfebdfd00015fc5138d1b437249691ba9d
Instruction Fuzzy Hash: A3519F30D0CA4C8FEB59EFA8E849AE9BBF0FB55310F14416AD04DD7292DB356845CB50

Function 00007FF848F33415 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1654eb0b9715c5fa954618a2573ad8838deae4425510ac61f7eff7b69bcb4819
Instruction ID: 07fe84b4a3876a43850f4cb238cf7c1a4614e1dd6a7f7950a3e416ce5490fa20
Opcode Fuzzy Hash: 1654eb0b9715c5fa954618a2573ad8838deae4425510ac61f7eff7b69bcb4819
Instruction Fuzzy Hash: 7952177090865D8FDB98EF14C494BF9B7B2FF58344F6081ADD04EA7282CB39A946CB54

Function 00007FF848F2D04A Relevance: 1.8, APIs: 1, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FF848F2D252

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 413c888e9e9eafe6766329af21adcdd3a4ccbbb4f35f8e7722c8286fcf3f35b5
Instruction ID: 10eb29c365472156bff11f486ea22d09cb87f01985140644f6c6dc9e0db604c8
Opcode Fuzzy Hash: 413c888e9e9eafe6766329af21adcdd3a4ccbbb4f35f8e7722c8286fcf3f35b5
Instruction Fuzzy Hash: 9A912770909A5C8FDB99EF58C894BE9BBF1FB6A310F1001AED04DE3291DB759984CB44

Function 00007FF848F907D0 Relevance: 1.7, APIs: 1, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e32b153312c0027cf620a185c160c7d22a343b8ba32119b80f470b43fe7c1d
Instruction ID: 6e38d36a0329cc735a770ce74447b4869a94eaf992791b11b8a00350db48bda1
Opcode Fuzzy Hash: d5e32b153312c0027cf620a185c160c7d22a343b8ba32119b80f470b43fe7c1d
Instruction Fuzzy Hash: C1818B30D0965C8FEB58EFA8D8556EDBBB0FF55310F10017AD44ADB292DB35A886CB80

Function 00007FF848F2D2F5 Relevance: 1.7, APIs: 1, Instructions: 219fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF848F2D479

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3771376b0de0707734f9f8bec422413d8ab1578bcd5547db8015a61149499a40
Instruction ID: c703092767d3bb925c0b4946c37c7c3c074dd9143cbe66e4349d4bd1afd150e3
Opcode Fuzzy Hash: 3771376b0de0707734f9f8bec422413d8ab1578bcd5547db8015a61149499a40
Instruction Fuzzy Hash: 95612370908A5C8FDB98EF58D885BE9BBF1FB69300F1001AED04DE3291CB75A985CB40

Function 00007FF848F90897 Relevance: 1.7, APIs: 1, Instructions: 173threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 00007FF848F909A1

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3ef15123226730e562c27bc2833f9940651e8a207fe9b8c1d1de2c79792947d3
Instruction ID: b1d879c5c48b4822a3a634738ebd1b4e5d0dba65590126df5f9b1db3f6e736aa
Opcode Fuzzy Hash: 3ef15123226730e562c27bc2833f9940651e8a207fe9b8c1d1de2c79792947d3
Instruction Fuzzy Hash: 67518B3090864C8FDB55EFA8D885AEDBBF0FB56310F1041ABD44DE7292DA35A886CB51

Function 00007FF848F2EC91 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF848F2ED72

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2ce563ab99c0a76d81e889637b5568bd157b396706c4a0df2de309b597b0640a
Instruction ID: fa6a95286c88f89dbc0d0457f047babb016f0d8ff3408510822b87eabf1841ef
Opcode Fuzzy Hash: 2ce563ab99c0a76d81e889637b5568bd157b396706c4a0df2de309b597b0640a
Instruction Fuzzy Hash: E541B03090C68C8FDB89DFA8D859BE9BBF0EF56310F1441ABD04DD7292CA355885CB10

Function 00007FF848F2F0F5 Relevance: 1.4, APIs: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF848F2F229

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 266df2b15b0c7889f505a55e90dbab8d7ae07e80e135413358f083f31a14d8cb
Instruction ID: 2e6e5fb225d989a91fe6057f1939d8138648e0b8feaff5760cd3f06b5d3fcdc4
Opcode Fuzzy Hash: 266df2b15b0c7889f505a55e90dbab8d7ae07e80e135413358f083f31a14d8cb
Instruction Fuzzy Hash: BA512A70918A5C8FDF98EF58D845BE9BBF0FB6A314F1041AAD04DE3251DB71A981CB41

Function 00007FF849107618 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FF849107692

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 755b8d57179258b8f15ba4f10d725494eecd528f71683013f80b28a98866d041
Instruction ID: bc6602d04d00a24b8eae7095f4eedd00df057708657dfccdae79e1f939004707
Opcode Fuzzy Hash: 755b8d57179258b8f15ba4f10d725494eecd528f71683013f80b28a98866d041
Instruction Fuzzy Hash: DC514971D0C58A9FEB69EFA8C8545FDB7B1FF89340F5041BAC04AE7682DA392905CB50

Function 00007FF84910788F Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a26cb4c6b182c7debf57acae999effc4b25041f8b2e631443e0b461a4d1d5c
Instruction ID: 6f03608fba15322f25268b2382924fd00a7b317aa09ce70ff01062eefee38ce0
Opcode Fuzzy Hash: a0a26cb4c6b182c7debf57acae999effc4b25041f8b2e631443e0b461a4d1d5c
Instruction Fuzzy Hash: 96D18C305185968FEB69DF08C8E05B537A1FF84350B5446FCD85A8BA8BDA3DF881CB81

Function 00007FF8491078AF Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5106a1a78e222997a288e646c2d4973ff970bc7f325506f3f9b4233d00884e73
Instruction ID: 3fdddeb0bf2416f0d5c49e104881f901978cacb178c7931b306c7a755c1949e8
Opcode Fuzzy Hash: 5106a1a78e222997a288e646c2d4973ff970bc7f325506f3f9b4233d00884e73
Instruction Fuzzy Hash: AFC19D3051C5868FEB69EF18C8E05B537A1FF85340B5445FDD85A8BA8BEA3CE881CB40

Function 00007FF849104B97 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0fda1a9cf50e16941ae2c849f469b6e5f1c3d69f46b40030c1758d9fc607f9
Instruction ID: 87c56e11e630969f553157f3c262da01f84fe8d26ac7989b0b202681c9b2a86b
Opcode Fuzzy Hash: ec0fda1a9cf50e16941ae2c849f469b6e5f1c3d69f46b40030c1758d9fc607f9
Instruction Fuzzy Hash: 5521F812E0E0D38EF2757F6925911F86A90BF512A5F1902FBD14D868D3FC0E28558BD2

Function 00007FF849107142 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f76a630ffefca5bd74a522d9a46a10d6e3f148b99bbffeccbb8661557166753
Instruction ID: fc4e6ea6118adf392d890119220aacb8b8bf87aae65548869c2195bd51ec3cfa
Opcode Fuzzy Hash: 5f76a630ffefca5bd74a522d9a46a10d6e3f148b99bbffeccbb8661557166753
Instruction Fuzzy Hash: 85B18330A1CA869FE759EF28C4906A4BBA1FF58340F5441B9C44EC7E86DB2DB851CB90

Function 00007FF849104847 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cd7af1d5afae7abebcddb11a6b3a44718dd787fbde9f9683d7c97cf5ada30
Instruction ID: 68190b3977c1c9eeaa31edbfc12b572add2d137da953235ebc0f2db489c17812
Opcode Fuzzy Hash: ae9cd7af1d5afae7abebcddb11a6b3a44718dd787fbde9f9683d7c97cf5ada30
Instruction Fuzzy Hash: AB71C37590C4C94FE778EE1988965B837C0FF493A1B0402FAD55EC79D3FE1EA8168A81

Function 00007FF849103257 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a005f91df1d00c0a609c94028eeb97ee4f4eb86749539f4c6a7f01374379f821
Instruction ID: 3a8c40e94b3c441adc3bc3dd933b0818cf1bed74a84f5cc526a9ffab530f0d84
Opcode Fuzzy Hash: a005f91df1d00c0a609c94028eeb97ee4f4eb86749539f4c6a7f01374379f821
Instruction Fuzzy Hash: 2D71E735A0C58A8FE778FE1894965B577D0FF44390B0402F9D45ECB992EE1EA8178B81

Function 00007FF84910540B Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13eb25a1d0c9558b3b85f7c026e73953b5ab5d08c3b0c5df3becb46ad4f6c500
Instruction ID: dcb57e51d079462e49ae2eed9a3195ef5e6615beca5b50a962808c0a239411ae
Opcode Fuzzy Hash: 13eb25a1d0c9558b3b85f7c026e73953b5ab5d08c3b0c5df3becb46ad4f6c500
Instruction Fuzzy Hash: B0719F30D2D58A9EEBA5EF6488546FDBBB1FF4A380F5404B9D00BD7582FE3968418B11

Function 00007FF849101CE1 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50cec0d3f6ecf92e9443352223202c2a9e0e6c87af5dfa3614007f7d9fedafd2
Instruction ID: 823d5ac80ba842ee16c58e1b61c014293c959933c1fcc27756b67b7fcd6432ea
Opcode Fuzzy Hash: 50cec0d3f6ecf92e9443352223202c2a9e0e6c87af5dfa3614007f7d9fedafd2
Instruction Fuzzy Hash: 8561A63490C9898FD7B9EE18C859DB837D1FF58351B1402F9E45DC7951EE2EA8468B80

Function 00007FF849106676 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9683b5ca3f488175fa2b7271b280654bad9ce30eb0263ef0ea1d72d20abc5ce9
Instruction ID: 293491d35220179063c42157a36ce226494ccb86f5d2a85a73a9d0cdb4354ec8
Opcode Fuzzy Hash: 9683b5ca3f488175fa2b7271b280654bad9ce30eb0263ef0ea1d72d20abc5ce9
Instruction Fuzzy Hash: 0C61063091CA868FE778AF28944557677E1FF853C4F1446BED08ED3582EE2DB8018B51

Function 00007FF8491088D1 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61e660e8d6908ed26e5ecf609a161cbb23ef5f8bcf00d6c8e3e250e40e03ea2
Instruction ID: 3d1a08e73afe6f8c2ca11a8604ef02887682c688a83251d1731fe88e89bf2deb
Opcode Fuzzy Hash: d61e660e8d6908ed26e5ecf609a161cbb23ef5f8bcf00d6c8e3e250e40e03ea2
Instruction Fuzzy Hash: 9A71693091CB868FE368EF18C595572B7E1FF44340B5449FDC48A87E96EA2AB842CF40

Function 00007FF84910955D Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3478a33b750f286a2fcdfd2a3ef1e67df6095c2801b942f9546aa72cf9fa7f96
Instruction ID: 757104c151660a3c5e38e154207fde855cb0f74268564d23e1161fab032eee26
Opcode Fuzzy Hash: 3478a33b750f286a2fcdfd2a3ef1e67df6095c2801b942f9546aa72cf9fa7f96
Instruction Fuzzy Hash: 4C514C30A4994A8FEF94FB288455BB673D2FF58384F5045B9D50EC7296EE29E8418B40

Function 00007FF84910427D Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e18a9c53e942961184308a09e72a22f6cf92db2ea4185ff9f5a30dcfa55efef
Instruction ID: 0b99249d2fefb118ff8c60af9b030fb129031f2d8f65eb92711abcb7424cd1d1
Opcode Fuzzy Hash: 1e18a9c53e942961184308a09e72a22f6cf92db2ea4185ff9f5a30dcfa55efef
Instruction Fuzzy Hash: 4C51C470A0895D8FDF94EF58D495AADBBF1FF69301F1001AAE00DE7292DB35A981CB50

Function 00007FF84910402D Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd2c1b999c3a43a2a6393552c155f4fe62bc0f4f90cb17b18ee5aaf298339db
Instruction ID: c5d783305f6342fb39a53ea2ba8979668fa9f0f358c38696a692cb418ad89756
Opcode Fuzzy Hash: fdd2c1b999c3a43a2a6393552c155f4fe62bc0f4f90cb17b18ee5aaf298339db
Instruction Fuzzy Hash: 3551BC70D1D65E8FEB64EF68D8966BDBBB0FF55340F1001B9D009E7282EA396845CB81

Function 00007FF849108EF7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd6e37c45466d458ef2dd57a51675512ac9b8bed3e3864d1ac27fe35ddc1603
Instruction ID: ed4b897e2060379457ae25c80162c7b8d711f38a5f847a504910a84c81c2a811
Opcode Fuzzy Hash: 2dd6e37c45466d458ef2dd57a51675512ac9b8bed3e3864d1ac27fe35ddc1603
Instruction Fuzzy Hash: A041A431A0C9498FDF98EF2CC495DB573E1FBA9310B0405AAD14EC3592DE29E895CB85

Function 00007FF849108FA1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45417fc122b4253a15fda5658a3a93da33f1fd66d30b269c802a410f33de9142
Instruction ID: 960e57b5d5ae866eefa4c77d5d4fde331ab2c3c3e0750723d4644cd6d0db25b6
Opcode Fuzzy Hash: 45417fc122b4253a15fda5658a3a93da33f1fd66d30b269c802a410f33de9142
Instruction Fuzzy Hash: 5A31AF31A0C9458FDF98EF2CC095EB573E1FBA9314B0406EDD04AC7592DE29E895CB81

Function 00007FF849102EFA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4413fe3e1f0300ffba041f868985cefde03dcf2af1e447e9791c871ea2bb0812
Instruction ID: abdaeeffdcc6a5421285f737f73066bf0fba0e2ea528bc5ded83133ef894d440
Opcode Fuzzy Hash: 4413fe3e1f0300ffba041f868985cefde03dcf2af1e447e9791c871ea2bb0812
Instruction Fuzzy Hash: 2541E7A2C1E6C65FF7A6AB3498650E93BA0FF116D8F4809F7C1488F497F91D240A8B51

Function 00007FF849108F3B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c5b33e54eb2d74cb173ab05e19ef708b55e215e0a21f28f812d747f7f76bb9
Instruction ID: 6080e9c51e0cbc91b123687676deac19a6fd5c162ff50f1d8facb0eecd9aa249
Opcode Fuzzy Hash: 63c5b33e54eb2d74cb173ab05e19ef708b55e215e0a21f28f812d747f7f76bb9
Instruction Fuzzy Hash: 69318131A0C9498FDF98EF28C095EB573E1FBA9314B0405ADD04EC7592DE29E895CB85

Function 00007FF849107C20 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3376ef0ef590976075d8da53a9551f48d41c131e378118453ab356e09282728c
Instruction ID: 4a0daeba251277912ecf565fecf2ab109b07a75ca77192c1c4c8986e8d386b0e
Opcode Fuzzy Hash: 3376ef0ef590976075d8da53a9551f48d41c131e378118453ab356e09282728c
Instruction Fuzzy Hash: 2D31393081C89F8EE778AB1888646B877A1FF90341F1445FAD05EC7986ED2DBD858B41

Function 00007FF8491006D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c1477b6c1417733a53a72c8a0c1dc4c5baf70c79e33d58f660d81d9d50fd69
Instruction ID: 532c549968985a21e3772217411faeb094abcdc6e78156816814be132ed7b06d
Opcode Fuzzy Hash: 07c1477b6c1417733a53a72c8a0c1dc4c5baf70c79e33d58f660d81d9d50fd69
Instruction Fuzzy Hash: 0431EA30D1C98ADFDB68EF5884555BD76A1FF64380F5002F6D00ED2981EA3F69509F45

Function 00007FF84910607B Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9287508758161b3806f9e718b0c63ad8d9fd2a4a48634e64560dbe02e56ebdb
Instruction ID: 959feda960d9b94c782ecf9c42e3af7fc8d2bd2da8a13939f344be298901dd5c
Opcode Fuzzy Hash: b9287508758161b3806f9e718b0c63ad8d9fd2a4a48634e64560dbe02e56ebdb
Instruction Fuzzy Hash: 6D21FB70A1895A8FD798EF5CD4915A8B3E2FF98754B508279D40AD3686EF287C12CB80

Function 00007FF849104102 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb296a1ae09e21671dd00ec5d7a13681ee8882f195eff05b9e62d65b7bf8154b
Instruction ID: 3d0708e64280bd542a76f8ffc4d74f4bd3b64797cb5ac6ee13f49fccb23a4a8a
Opcode Fuzzy Hash: eb296a1ae09e21671dd00ec5d7a13681ee8882f195eff05b9e62d65b7bf8154b
Instruction Fuzzy Hash: 5531E670E29A1D8FEB54EFA8D895AEDB7B1FF58344F500139D009E7282DB386841CB40

Function 00007FF849107BF0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17eb8a5b47e66bb40d37d7e4bdb171497537a7a119b61809da2f6d19848f68a8
Instruction ID: 256e17a791e3e3e2495e02c9e886c7e93208c10e8e83cb232b73a892d15790a6
Opcode Fuzzy Hash: 17eb8a5b47e66bb40d37d7e4bdb171497537a7a119b61809da2f6d19848f68a8
Instruction Fuzzy Hash: 0D212B1081C5DB4EE739AB184D605747B91FFD238571846F9D0A6CB8D7E81DBC81C781

Function 00007FF849105082 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0457cde6e6372e94e9664720e30d244674c6433b17e9dbe233a2e96d333ebf
Instruction ID: d36f49f85cfdbadd9c0bfed19449a1cbd82de6ed5da2231f2dc7932c7c6327b1
Opcode Fuzzy Hash: af0457cde6e6372e94e9664720e30d244674c6433b17e9dbe233a2e96d333ebf
Instruction Fuzzy Hash: F721F775E1891D9FDF98EF18C465AEDB7B1FB59310F0001AAD00EE3691DA39A9918F40

Function 00007FF84910453D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d019a8e8998aba59fe707a78893102e0ba8f641bac17f538ff2d5e94db91f0a
Instruction ID: 477f707d56fc5e2f588e65e31680a56064a24778c7eda59aeb231a223e7ebc09
Opcode Fuzzy Hash: 8d019a8e8998aba59fe707a78893102e0ba8f641bac17f538ff2d5e94db91f0a
Instruction Fuzzy Hash: 5D215935E1C98D9FDB94EF58C4909ECBBB1FF98340F5001B9D00AE36C2EE29A9058B54

Function 00007FF8491067D4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818e8f4802177f1294f75d11db8c6e73ac316b86dddb75c8ca792be4f9d673e3
Instruction ID: 4cf457fcfbdc8bdb4857f56213097af9e45bbbb073f90022d51e5086d3d771c8
Opcode Fuzzy Hash: 818e8f4802177f1294f75d11db8c6e73ac316b86dddb75c8ca792be4f9d673e3
Instruction Fuzzy Hash: 80115431A6C7868FE678AE08804103972D5FF587C8F24567EE48FD3681FD2DB8415E41

Function 00007FF8491019E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefa52e60d806ca198a46b4bb784962b34e36284b2eafd56a094aeee6a703184
Instruction ID: ba91cdecb7c1ddbb69d6ca63b0d5178c982622a6be8c1a8f4fbb5d0becd8848b
Opcode Fuzzy Hash: aefa52e60d806ca198a46b4bb784962b34e36284b2eafd56a094aeee6a703184
Instruction Fuzzy Hash: 08115E31D1D6CADFEB55AFB898515E97BB0FF46354F0401B6D049D60C3EE2D68048B51

Function 00007FF8491005F8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dc8b16eb3a89d74acb38f7e9d5056387a595fdbe70bf2c67412701c296f283
Instruction ID: 8043a22d533295252a8e346ccda617330e95536de5d365d1ac12f2989419fea6
Opcode Fuzzy Hash: 71dc8b16eb3a89d74acb38f7e9d5056387a595fdbe70bf2c67412701c296f283
Instruction Fuzzy Hash: 44018B12E4D0E38EF1783E9425D01BC58407FA0790F6405FAD40E868C7FC0E28902BD2

Function 00007FF849103D73 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0658a8dbf45f76a858fca05dfa95c4186827172058811a77f3cdc898b1d45a8f
Instruction ID: a93902ff5660c6d7e29136a37b1704194b8233c0730158b9a5f3926635e3554e
Opcode Fuzzy Hash: 0658a8dbf45f76a858fca05dfa95c4186827172058811a77f3cdc898b1d45a8f
Instruction Fuzzy Hash: C5014F31D0D65D8EDB29BE508402AFDB720FF51380F4002F9D04E56592EE796A9A8F91

Function 00007FF849106189 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac538490db4242ada7c1bc51f1830c792e8020a9fe9f655f5c4dc2c94738bf9
Instruction ID: c6d55d12deee9a982830fa32f4199f26ac91edcedac8408293ce98ce9acda966
Opcode Fuzzy Hash: 4ac538490db4242ada7c1bc51f1830c792e8020a9fe9f655f5c4dc2c94738bf9
Instruction Fuzzy Hash: 3DF04431A1C9994FDB54FFA8945166C77A1FF4A350F5401BDD04ED76C7DD2D68428B00

Function 00007FF849106CA0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8649d22fac9bf6d5361480b8d92940d16d38c439786d3291679df0ff793cbf35
Instruction ID: 7469893e8d14c30af3520eb742726e7b11e63c61c53e1016254cbde2dc4588a9
Opcode Fuzzy Hash: 8649d22fac9bf6d5361480b8d92940d16d38c439786d3291679df0ff793cbf35
Instruction Fuzzy Hash: 5CF03C20A1CE594ED6A4FF258450A7A63E1FF94384F804978908FC3AD2EE2EF9458B50

Function 00007FF849105004 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243e9272825fafe0a113a43b1aab3093a2285cd429d26d212af9d29151c9dc43
Instruction ID: a53cca94d78c0bf928da6c3174368c4d3ac1932d3e9b1147d8e3a30eec683a5d
Opcode Fuzzy Hash: 243e9272825fafe0a113a43b1aab3093a2285cd429d26d212af9d29151c9dc43
Instruction Fuzzy Hash: 36014B70D0DA9A9EDFA8DF1888517B8B7B0FB5A340F0405FDC10EE7682DA3919808F12

Function 00007FF849105392 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1813a4240160d11a8e24beb52491bedd66c560775d16d1f4676a4c7c5f4474c4
Instruction ID: 46d07b7379fc32f911c1a82a14af6849039e09e5cfc880b4ee34ac17a32d34db
Opcode Fuzzy Hash: 1813a4240160d11a8e24beb52491bedd66c560775d16d1f4676a4c7c5f4474c4
Instruction Fuzzy Hash: ACF06D3284E2C59FD312AF7098515A53FB4FF43244F1900FAD086CB4A2D5AE560ACB62

Function 00007FF849106B1E Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30117754eb3a5f4a97880deb9d7ee8fb01a6354dc5f7deec89a5be8b97663c94
Instruction ID: 3c4cf44b79750a6209d6b6008e3ebbe72960d7ebfbe55595004f5c97007bf758
Opcode Fuzzy Hash: 30117754eb3a5f4a97880deb9d7ee8fb01a6354dc5f7deec89a5be8b97663c94
Instruction Fuzzy Hash: 2AF03A302089064FE768EA18D464BB973D1FBA9350F54457DE91AC7BD1EE6EB9908B00

Function 00007FF849103DEA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd15763c4bcb3f2f513959910182d24a08cf8ff567daccb7ccb9465ebd4d4ca
Instruction ID: c8f17efdd7fd2a79df3e4aa16a7b11b1378f9bfea8ff59d07ca366200d5dfc77
Opcode Fuzzy Hash: 4fd15763c4bcb3f2f513959910182d24a08cf8ff567daccb7ccb9465ebd4d4ca
Instruction Fuzzy Hash: 2AF0F231E0856D8EEB64EF44D850BFDB770FF65340F4011BAD04EA2581EEBA6A858F80

Function 00007FF849106AFB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e418f034c113abeba35c74f6b70d08fa3b1a8a95bdbfbefa2ab2130ea900fe4
Instruction ID: 02575251a16f61ca02ac2c285a52a3b305893cdde1b3440049eb0808cf8340a4
Opcode Fuzzy Hash: 5e418f034c113abeba35c74f6b70d08fa3b1a8a95bdbfbefa2ab2130ea900fe4
Instruction Fuzzy Hash: 66D09250B0C9C79DF6786E0180202391AD07F013C0E6002B9D09F65CC1ED1F7501AE12

Function 00007FF849106031 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcb884c0cf6e158b2f9f33d1552e2523819686d24b636deade3c94bd440e243
Instruction ID: 3db7feaef4eaa2a0ea303f265187a3460583f755633d0e66dcea50d4fca56379
Opcode Fuzzy Hash: 6fcb884c0cf6e158b2f9f33d1552e2523819686d24b636deade3c94bd440e243
Instruction Fuzzy Hash: C8B09240E0C2834AE17028A4044007C00812B052C4A900AB0920B669C6FC4E28001A51

Non-executed Functions

Function 00007FF849100EFA Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

50_^, xrefs: 00007FF849100F01

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID: 50_^
API String ID: 0-1932136311
Opcode ID: bfea3c115c55c232cdab609f5fe8f8f1f96cc6a7a56e342bcd40e7d2be8aa74f
Instruction ID: 5e0890589bcf1f33208787fdecbc09b9aacb96b4cec3869adb13c1a17735d819
Opcode Fuzzy Hash: bfea3c115c55c232cdab609f5fe8f8f1f96cc6a7a56e342bcd40e7d2be8aa74f
Instruction Fuzzy Hash: C891716381E5E25FE351BB38A8664E77FA0FF0229CB0802F6D0884F493ED1D75598A59

Function 00007FF849100888 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ec119b6e02cacd08e58be1076451260f6468e1d4c57482a7b8e77a4d7c1523
Instruction ID: 78bef310626310ed6d847e4d72b5730c3dd02b2e0b9572b7ef584eefe552593f
Opcode Fuzzy Hash: 69ec119b6e02cacd08e58be1076451260f6468e1d4c57482a7b8e77a4d7c1523
Instruction Fuzzy Hash: 30F1661291F2D26ED352B778A8650E67F60EF0326CB1D02F7D0CC8E493DA1D6489C7A9

Function 00007FF8491020C2 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e04a297aac66d6f47f41ace3b5bdd5bc7822da27ceca896d4669e106b341567
Instruction ID: de190c55afa2df8e0986ca2d44d295b129b9083f5254b664575355a91b73a95a
Opcode Fuzzy Hash: 9e04a297aac66d6f47f41ace3b5bdd5bc7822da27ceca896d4669e106b341567
Instruction Fuzzy Hash: 06E15913C1F2D3AAD352BB78A4650E67F60FF026ACB1C46F6D08C4E4939E0D645986A9

Function 00007FF8491020F2 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba9c9e4866c6beac529dbfd3c0be6d2c0f0da6ff01dfacc972abe4933a826be
Instruction ID: a060fb6b1552cdeacdc92b7255384f23119f2045a8282d71492e1a1a257d1eb6
Opcode Fuzzy Hash: 6ba9c9e4866c6beac529dbfd3c0be6d2c0f0da6ff01dfacc972abe4933a826be
Instruction Fuzzy Hash: 91E14713C1F2D3AAD352BB7CA4650E67F60FF026ACB1C46F6D0CC4E4939E0D645986A9

Function 00007FF849100D0D Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32a92677a0dcf4606f6a6cb60ca5b37c5bdd89fd97285ce104dc6bf00d30875
Instruction ID: c50401110677a82a338fea2b40eec5b02a5b2079c27200ffaca7eaee9f9c9576
Opcode Fuzzy Hash: f32a92677a0dcf4606f6a6cb60ca5b37c5bdd89fd97285ce104dc6bf00d30875
Instruction Fuzzy Hash: 58E1821381F6D25FE352AB38A8654E67FA0FF0229CB1801FAD0C84F493E91E7959CB55

Function 00007FF8491011FA Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b98faef9555d3b38a505a91daa269927b2f015fde9e3877ec22f52bf3e5ea69
Instruction ID: 87196b2df68e1948129d4ae98a2d41bf2f580daa5ed936824a1599e73d3cfb2f
Opcode Fuzzy Hash: 1b98faef9555d3b38a505a91daa269927b2f015fde9e3877ec22f52bf3e5ea69
Instruction Fuzzy Hash: 72E1101281F3D26ED353BB78A4654E67F60AF0326CB1D42F7D0CC8E493DA0E654987A9

Function 00007FF8491024FA Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e541bdfdd1a2e7568137c82caa7a89cfce26664847c455f4b3fd6f353ec80d1
Instruction ID: b0e7133741c41ae8510d736fd6463a401cd68aa8319f1e84976397169cbbbdfc
Opcode Fuzzy Hash: 9e541bdfdd1a2e7568137c82caa7a89cfce26664847c455f4b3fd6f353ec80d1
Instruction Fuzzy Hash: CBA1B652C1F7D26EE352BB38A8A50E67F60FF12698B1C05F6D0C84F493D90E240B8769

Function 00007FF849100AD4 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f9adad238dcd4150688b81f079f125979e65a0635476973e265b27ca8ce1c8
Instruction ID: c493ff4b6c938684acab9713d3e6a12d8f1fe2dc565707a30793e2a1afcbcbed
Opcode Fuzzy Hash: e0f9adad238dcd4150688b81f079f125979e65a0635476973e265b27ca8ce1c8
Instruction Fuzzy Hash: F071A11690F6D66EE3527B7864210E63F60EF4326DF1C02FBD0C88E093D91D648AC3A9

Function 00007FF849100FF2 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2027296271.00007FF849100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849100000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec2d11572852336c71962681526a952de052b3ae84a139c2641949d284baf68
Instruction ID: 98b4c53f28bc5fdf22ae81939b7aa5e5b92f483f960cc372952c7055b93d3124
Opcode Fuzzy Hash: 9ec2d11572852336c71962681526a952de052b3ae84a139c2641949d284baf68
Instruction Fuzzy Hash: 4F61361381F2E26FE752BF78A8654E77FA0FF0229CB0841F7D0884E493ED1D65498659

Function 00007FF848F2DE01 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026353964.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f20000_hjgesadfseawd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd0d4e4ec456fcb944568925df6900c7d87ff78ae3df08ac9d90f9053e83fc9
Instruction ID: c787ea70720324e4f56ed6cc708d735034bab1c0285ea67571ac2234db871b74
Opcode Fuzzy Hash: 2bd0d4e4ec456fcb944568925df6900c7d87ff78ae3df08ac9d90f9053e83fc9
Instruction Fuzzy Hash: 65610D30908A8D8FDFA8EF18D8457E977E1FF69341F10812AE80DC7291DB759985CB85

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hjgesadfseawd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hjgesadfseawd.exe.log

C:\Users\user\Desktop\IdUljafV.log

C:\Users\user\Desktop\NYVCrGVP.log

C:\Users\user\Desktop\RHcbTTvC.log

C:\Users\user\Desktop\fdOpgtQY.log

C:\Users\user\Desktop\hnkqgLvZ.log

C:\Users\user\Desktop\qRsgQELG.log

C:\Users\user\Desktop\yuAVAyan.log

C:\Users\user\Desktop\zzLwAhQo.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
hjgesadfseawd.exe

Function 00007FF848F21EC3 Relevance: 16.5, Strings: 12, Instructions: 1538
COMMON

Function 00007FF848F2D04A Relevance: 1.8, APIs: 1, Instructions: 293
COMMON