Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe

Overview

General Information

Sample name:17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
Analysis ID:1577170
MD5:f7c0f93efa22340a973ec0e622eae21f
SHA1:b4f1f7d33e3040f74152a48ff19ef4f4ff20137b
SHA256:b4031a0fee34072aa5c58b677ac2be9caf81f6a1e4cee4781cf3345e55df1231
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dcuxpag.duckdns.org", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "2QA7ZVMEAIOl8smBUrgow7wzVW11AxOU", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "pOXu1Ry7zkt02KO1t4iq2iSbxvgdVRFEV59SBn7C3Qt53PA9FjijrYMEvjUZ6kqcbYJmDNS166ljTjYyJEEcUq9hV3BTVnXKdhcLInntkEiqcfgRng1SwsaceMVCiD6S2cg0P2XMxMyWRYz6zE/HzvvCTfqM5iVtZIXnw/KUyRI=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65fb:$a1: havecamera
    • 0x9aec:$a2: timeout 3 > NUL
    • 0x9b0c:$a3: START "" "
    • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x9997:$s2: L2Mgc2NodGFza3MgL2
    • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
    17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cce:$q1: Select * from Win32_CacheMemory
    • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa146:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x3d7:$b2: DcRat By qwqdanchun1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2920991760.000000001AFD3000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0xbd80:$b2: DcRat By qwqdanchun1
    00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63fb:$a1: havecamera
      • 0x98ec:$a2: timeout 3 > NUL
      • 0x990c:$a3: START "" "
      • 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x5478:$b1: DcRatByqwqdanchun
        • 0x3f6a4:$b2: DcRat By qwqdanchun1
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x65fb:$a1: havecamera
          • 0x9aec:$a2: timeout 3 > NUL
          • 0x9b0c:$a3: START "" "
          • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
          • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
          • 0x9997:$s2: L2Mgc2NodGFza3MgL2
          • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
          • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
          0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x9cce:$q1: Select * from Win32_CacheMemory
          • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
          • 0xa146:$s1: DcRatBy

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-18T08:20:02.040109+010020348471Domain Observed Used for C2 Detected45.135.232.385999192.168.2.449730TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-18T08:20:02.040109+010028424781Malware Command and Control Activity Detected45.135.232.385999192.168.2.449730TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-18T08:20:02.040109+010028480481Domain Observed Used for C2 Detected45.135.232.385999192.168.2.449730TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeAvira: detected
          Found malware configuration
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "dcuxpag.duckdns.org", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "2QA7ZVMEAIOl8smBUrgow7wzVW11AxOU", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "pOXu1Ry7zkt02KO1t4iq2iSbxvgdVRFEV59SBn7C3Qt53PA9FjijrYMEvjUZ6kqcbYJmDNS166ljTjYyJEEcUq9hV3BTVnXKdhcLInntkEiqcfgRng1SwsaceMVCiD6S2cg0P2XMxMyWRYz6zE/HzvvCTfqM5iVtZIXnw/KUyRI=", "BDOS": "null", "External_config_on_Pastebin": "false"}
          Multi AV Scanner detection for submitted file
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeReversingLabs: Detection: 81%
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeVirustotal: Detection: 74%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeJoe Sandbox ML: detected
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:5999 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:5999 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:5999 -> 192.168.2.4:49730
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: dcuxpag.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: dcuxpag.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 45.135.232.38:5999
          Source: Joe Sandbox ViewIP Address: 45.135.232.38 45.135.232.38
          Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: dcuxpag.duckdns.org
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2918561615.0000000000704000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2920991760.000000001AFD3000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2918561615.0000000000704000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?62f444fd27da8
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2918561615.00000000006BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabReadN(
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: 00000000.00000002.2920991760.000000001AFD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2918561615.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeCode function: 0_2_00007FFD9B8AC56F0_2_00007FFD9B8AC56F
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeCode function: 0_2_00007FFD9B8A90F20_2_00007FFD9B8A90F2
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeCode function: 0_2_00007FFD9B8A30E20_2_00007FFD9B8A30E2
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeCode function: 0_2_00007FFD9B8A83460_2_00007FFD9B8A8346
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000000.1671738722.00000000000BE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeBinary or memory string: OriginalFilenameClient.exe" vs 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: 00000000.00000002.2920991760.000000001AFD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2918561615.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, Settings.csBase64 encoded string: 'HBUzaLXnmOhwmqLguTQgpRr1S5mA+78deY3rmXUwReHVFSED1bFVlUMhfgfMlSaOiPkyGoeieuM3+2Os3+ZYYg==', 'z71oDXCa+ZtvCUbAeKsOmvIEk7/OjUSJdJZg/hPwAyKBovu0X/9dfezeb9N5v/eFhAwy7ft0MoZpZJfjVrEYkw==', 'V6sso+cd7/NdFxuPMbISQ77cuu2s3Zifs5vN6Zv0i6CcRIeLLsaTUpeCROsHUrvRejeLUfvm9TO3L8fysnKcIsBuMBfJgLxGWP3CHbKt4Ys=', 'UMDc0XkhhTLtA34xYzb7wmqOvalrOuMZ5pPppheu7MYh8CuHlNJ/1qWQzZgNT4Hyv4YP9WqSnee0U9LcwBywKaIrpjOg/bY2cZ6vOwLADxYVsrZgB29XV3rQtVE1dhSm/sUhk9i8IHPjjQyDR87fuaTQKY1QVGQK4ZsiZBN0RdSM6P1Z/+UK8nYUAQIA5Bjzf9fyL1VIjYlDbha9zqmTcmjHJBVO3dl9BWHDn+102rsTZK2Y3T8hIgnFjuNKAhfcPc5qzbCWHDwYMFV7OLiRMRDX7icxKUeqPabZMmRvbYk=', 'MsepynPOG/L+qc1jt6P38CGP8WgaPJoOIZ00GATUrWc21EmWBigWVrBlUo5shRAOlQkJjariZ1Fwd7KXbJahng==', 'Xbbofr1ZDRiRfbU28Ju14nEDFjMwWnotROSZdsOy15oq5s+5oLHoTAS4Oz44unJ40EbnXKqszYimUWEHnM/fbQ==', 'zwImBBJl1p//rQ348fIvzrMIWkabXdtk2z5UNGFdubHCVTUdYvTlbWDSIrG+1f6N2BujIGudEbjIMf8nFBXCyg==', 'zbJ51tsgSf4zEzc8q8gpKMvtB5eO2Tgs2nnooSoTK/0NNlLaDFKSc3CK5NYOd9tIenTDcrSwZVYR9T9mDzwzsg=='
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeMutant created: NULL
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeReversingLabs: Detection: 81%
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeVirustotal: Detection: 74%
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeCode function: 0_2_00007FFD9B8A00BD pushad ; iretd 0_2_00007FFD9B8A00C1

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTR
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeMemory allocated: 5F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeMemory allocated: 1A4C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeWindow / User API: threadDelayed 9557Jump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe TID: 4280Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe TID: 4412Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe TID: 3608Thread sleep count: 9557 > 30Jump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe TID: 3608Thread sleep count: 302 > 30Jump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.00000000027FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMcIH
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2920991760.000000001AFD3000.00000004.00000020.00020000.00000000.sdmp, 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2920902817.000000001AE1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.0000000002536000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe.b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTR
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2920724589.000000001AD97000.00000004.00000020.00020000.00000000.sdmp, 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2918561615.0000000000704000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
          Source: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe PID: 4092, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		1
          Process Injection          		1
          Disable or Modify Tools          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		31
          Virtualization/Sandbox Evasion          		LSASS Memory121
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)1
          DLL Side-Loading          		1
          Process Injection          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Obfuscated Files or Information          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture21
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe82%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
          17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe75%VirustotalBrowse
          17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe100%AviraHEUR/AGEN.1307404
          17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.214.172
          		truefalse
            		high
            dcuxpag.duckdns.org
            		45.135.232.38
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe, 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.135.232.38
                		dcuxpag.duckdns.orgRussian Federation
                		49392ASBAXETNRUtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1577170
                Start date and time:2024-12-18 08:19:05 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 21s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/2@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 7
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 199.232.214.172, 172.202.163.200, 13.107.246.63
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:20:03API Interceptor1x Sleep call for process: 17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                45.135.232.381733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                  1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeGet hashmaliciousRemcosBrowse
                    17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                      17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                        1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                          sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                            172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
                                  sostener.vbsGet hashmaliciousRemcosBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    bg.microsoft.map.fastly.netfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                    • 199.232.210.172
                                    Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 199.232.214.172
                                    Credit Card Authorization Form.pdfGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    Configurator.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    hades.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    https://pdf-ezy.com/pdf-ezy.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    Harrisassoc_Updated_Workplace_Policies_and_Compliance_Guidelines.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                                    • 199.232.214.172
                                    support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                    • 199.232.214.172
                                    5.msiGet hashmaliciousDanaBot, NitolBrowse
                                    • 199.232.214.172
                                    file.exeGet hashmaliciousRemcosBrowse
                                    • 199.232.214.172

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ASBAXETNRUH6Lzd3cP3H.exeGet hashmaliciousUnknownBrowse
                                    • 194.87.47.99
                                    k4c3YnjoBr.exeGet hashmaliciousCryptbotBrowse
                                    • 194.87.47.99
                                    1SzdrH2oTL.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    • 194.87.47.99
                                    b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                    • 91.193.216.252
                                    1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                    • 45.135.232.38
                                    Josho.spc.elfGet hashmaliciousUnknownBrowse
                                    • 212.192.27.99
                                    payload.elfGet hashmaliciousUnknownBrowse
                                    • 212.192.15.59
                                    hax.sh4.elfGet hashmaliciousMiraiBrowse
                                    • 91.193.216.228
                                    nscmips.elfGet hashmaliciousUnknownBrowse
                                    • 212.192.12.119
                                    ET5.exeGet hashmaliciousUnknownBrowse
                                    • 45.8.159.106

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):71954
                                    Entropy (8bit):7.996617769952133
                                    Encrypted:true
                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):328
                                    Entropy (8bit):3.253995428229511
                                    Encrypted:false
                                    SSDEEP:6:kKzC9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:b9DImsLNkPlE99SNxAhUe/3
                                    MD5:B583BE3BC3A5EA00CD0030F14A18E12D
                                    SHA1:02EBBA97B241B659395C2D92A6BF30CC09E9CF32
                                    SHA-256:445B0B8CD5F6E3B590C280714EB60EB4AD536F2F24ACF7CD6808783BDAD5B556
                                    SHA-512:162DF712EBF992800154B7FE9FCAD7A22E9530DF5088CDDBE8B8EE3927DDF7BBB2A2C1162B81A169D8454EA9C62652650D4FFCD1B270E115FC95AD91B0F8D62F
                                    Malicious:false
                                    Reputation:low
                                    Preview:p...... .........-.A.Q..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):5.61819435475231
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
                                    File size:48'640 bytes
                                    MD5:f7c0f93efa22340a973ec0e622eae21f
                                    SHA1:b4f1f7d33e3040f74152a48ff19ef4f4ff20137b
                                    SHA256:b4031a0fee34072aa5c58b677ac2be9caf81f6a1e4cee4781cf3345e55df1231
                                    SHA512:e92c879e575015a6c0a9add0d695b3994b45bef0e1c8e259780898464567b45c44f5d6b9952018f26e74b585e16a7258983ecda67b6f68375d0f3fb2307ddb6d
                                    SSDEEP:768:xGq+s3pUtDILNCCa+Di+0jd3gLqRp8A0PiBtYbigeiQ6nzZc04/P6vEgK/JLZVcD:8q+AGtQO+GaPAP2bFpQ6nf+6nkJLZVcD
                                    TLSH:4A237D0037D8C536E2BD4BB5A9F3924582B9D6676903CB5D6CC811AA2B03BC597036FE
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x40cbbe
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xcb680x53.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xabc40xac00131840916b794572d2628f56a37e8793False0.5027480014534884data5.643993312189107IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x100000xc0x20082148d01c3935cf90ef81a3dd1fad607False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xe0a00x2d4data0.4350828729281768
                                    RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-12-18T08:20:02.040109+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)145.135.232.385999192.168.2.449730TCP
                                    2024-12-18T08:20:02.040109+01002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.385999192.168.2.449730TCP
                                    2024-12-18T08:20:02.040109+01002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.385999192.168.2.449730TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 18, 2024 08:20:00.427407026 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:00.547089100 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:00.547271967 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:00.571593046 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:00.691248894 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:01.874218941 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:01.916522026 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:01.920455933 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:02.040108919 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:02.358438969 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:02.400872946 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:04.941203117 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:05.061223030 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:05.061374903 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:05.181324005 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:16.258342028 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:16.378032923 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:16.378129005 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:16.497715950 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:16.859713078 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:16.900953054 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:17.050538063 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:17.104073048 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:17.122139931 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:17.241854906 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:17.241990089 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:17.361709118 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:27.558078051 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:27.677849054 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:27.677962065 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:27.797485113 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:28.159164906 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:28.213462114 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:28.349522114 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:28.351650953 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:28.472264051 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:28.472359896 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:28.591917038 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:35.183662891 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:35.229264975 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:35.374628067 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:35.416676998 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:38.870271921 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:38.989978075 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:38.990200996 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:39.110410929 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:39.471185923 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:39.526050091 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:39.661936045 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:39.663836002 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:39.783495903 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:39.783658981 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:39.906040907 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:50.183252096 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:50.304744005 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:50.304842949 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:50.424838066 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:50.784218073 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:50.838495970 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:50.975095034 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:50.977549076 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:51.097126007 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:20:51.097254038 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:20:51.216830969 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:01.495326996 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:01.615084887 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:01.618453979 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:01.738255024 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:02.096949100 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:02.151180983 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:02.287971973 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:02.290563107 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:02.410336971 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:02.414511919 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:02.535442114 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:05.182497978 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:05.229190111 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:05.373287916 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:05.416784048 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:12.814403057 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:12.934024096 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:12.934129000 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:13.053788900 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:13.416099072 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:13.463610888 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:13.606060982 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:13.607902050 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:13.727586031 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:13.727911949 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:13.847611904 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:24.120560884 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:24.240091085 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:24.240190029 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:24.359793901 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:24.804302931 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:24.854243994 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:25.105030060 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:25.107364893 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:25.226978064 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:25.227140903 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:25.346731901 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:35.179161072 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:35.229270935 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:35.393407106 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:35.432938099 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:35.552795887 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:35.552871943 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:35.672523975 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:36.116662979 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:36.166863918 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:36.330027103 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:36.332113028 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:36.451884985 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:36.451966047 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:36.571712971 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:46.745582104 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:46.865329981 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:46.865552902 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:46.986171961 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:47.430690050 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:47.479265928 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:47.643361092 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:47.669836044 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:47.789520025 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:47.789606094 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:47.909238100 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:58.057996988 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:58.177875042 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:58.177939892 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:58.297851086 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:58.742851973 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:58.786348104 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:58.956046104 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:58.957983017 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:59.078001976 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:21:59.078090906 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:21:59.197736979 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:22:02.448501110 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:22:02.568093061 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:22:02.568567038 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:22:02.688291073 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:22:03.135838032 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:22:03.182439089 CET497305999192.168.2.445.135.232.38
                                    Dec 18, 2024 08:22:03.346790075 CET59994973045.135.232.38192.168.2.4
                                    Dec 18, 2024 08:22:03.401171923 CET497305999192.168.2.445.135.232.38

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 18, 2024 08:20:00.089514017 CET5840253192.168.2.41.1.1.1
                                    Dec 18, 2024 08:20:00.421482086 CET53584021.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 18, 2024 08:20:00.089514017 CET192.168.2.41.1.1.10x78e2Standard query (0)dcuxpag.duckdns.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 18, 2024 08:20:00.421482086 CET1.1.1.1192.168.2.40x78e2No error (0)dcuxpag.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                                    Dec 18, 2024 08:20:02.571261883 CET1.1.1.1192.168.2.40xad05No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                    Dec 18, 2024 08:20:02.571261883 CET1.1.1.1192.168.2.40xad05No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:02:19:56
                                    Start date:18/12/2024
                                    Path:C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exe"
                                    Imagebase:0xb0000
                                    File size:48'640 bytes
                                    MD5 hash:F7C0F93EFA22340A973EC0E622EAE21F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2920991760.000000001AFD3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1671721762.00000000000B2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2919197788.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2918561615.0000000000704000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2919197788.0000000002543000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:21.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:9
                                      Total number of Limit Nodes:0
                                      execution_graph 5122 7ffd9b8a18ca 5123 7ffd9b8a2a00 LoadLibraryA 5122->5123 5125 7ffd9b8a2ad2 5123->5125 5118 7ffd9b8a2d3d 5119 7ffd9b8a2d4b VirtualProtect 5118->5119 5121 7ffd9b8a2e2b 5119->5121 5114 7ffd9b8a29e1 5115 7ffd9b8a29eb LoadLibraryA 5114->5115 5117 7ffd9b8a2ad2 5115->5117

                                      Executed Functions

                                      Function 00007FFD9B8AC56F Relevance: 3.0, Strings: 1, Instructions: 1723COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 22 7ffd9b8ac56f-7ffd9b8ac588 24 7ffd9b8ac5b7-7ffd9b8ac5bd 22->24 25 7ffd9b8ac58a-7ffd9b8ac5b2 22->25 27 7ffd9b8ac5c3-7ffd9b8ac5c9 24->27 28 7ffd9b8ac6b4-7ffd9b8ac6ba 24->28 37 7ffd9b8ad4b2-7ffd9b8ad4be 25->37 27->28 29 7ffd9b8ac5cf-7ffd9b8ac5e6 call 7ffd9b8a4a50 27->29 30 7ffd9b8ac75f-7ffd9b8ac765 28->30 31 7ffd9b8ac6c0-7ffd9b8ac6c6 28->31 29->37 44 7ffd9b8ac5ec-7ffd9b8ac65a call 7ffd9b8aabf8 29->44 35 7ffd9b8ac767-7ffd9b8ac76d 30->35 36 7ffd9b8ac7cc-7ffd9b8ac7d2 30->36 31->30 34 7ffd9b8ac6cc-7ffd9b8ac6e6 call 7ffd9b8a4a50 31->34 34->37 54 7ffd9b8ac6ec-7ffd9b8ac758 call 7ffd9b8a0ac8 34->54 35->36 42 7ffd9b8ac76f-7ffd9b8ac7c7 35->42 38 7ffd9b8ac80e-7ffd9b8ac814 36->38 39 7ffd9b8ac7d4-7ffd9b8ac7da 36->39 46 7ffd9b8ac816-7ffd9b8ac82b call 7ffd9b8a4a50 38->46 47 7ffd9b8ac830-7ffd9b8ac836 38->47 39->38 43 7ffd9b8ac7dc-7ffd9b8ac809 39->43 42->37 43->37 132 7ffd9b8ac65f-7ffd9b8ac6a9 call 7ffd9b8a0ac8 44->132 46->37 50 7ffd9b8ac83c-7ffd9b8ac842 47->50 51 7ffd9b8ad4bf-7ffd9b8ad4fa 47->51 57 7ffd9b8ac86f-7ffd9b8ac875 50->57 58 7ffd9b8ac844-7ffd9b8ac86a 50->58 88 7ffd9b8ad501-7ffd9b8ad586 51->88 133 7ffd9b8ac75a 54->133 64 7ffd9b8ac877-7ffd9b8ac89d 57->64 65 7ffd9b8ac8a2-7ffd9b8ac8a8 57->65 58->37 64->37 70 7ffd9b8ac8fb-7ffd9b8ac901 65->70 71 7ffd9b8ac8aa-7ffd9b8ac8f6 65->71 76 7ffd9b8ac907-7ffd9b8ac98c call 7ffd9b8aa9e8 70->76 77 7ffd9b8ac991-7ffd9b8ac997 70->77 71->37 76->37 81 7ffd9b8aca26-7ffd9b8aca2c 77->81 82 7ffd9b8ac99d-7ffd9b8aca21 call 7ffd9b8aa9e8 77->82 81->88 89 7ffd9b8aca32-7ffd9b8aca38 81->89 82->37 160 7ffd9b8ad588-7ffd9b8ad58e 88->160 161 7ffd9b8ad59b-7ffd9b8ad5a1 88->161 89->88 94 7ffd9b8aca3e-7ffd9b8aca44 89->94 94->88 98 7ffd9b8aca4a-7ffd9b8aca50 94->98 102 7ffd9b8acad6-7ffd9b8acadc 98->102 103 7ffd9b8aca56-7ffd9b8aca9d call 7ffd9b8aa9e8 98->103 105 7ffd9b8acb62-7ffd9b8acb68 102->105 106 7ffd9b8acae2-7ffd9b8acb0c 102->106 186 7ffd9b8aca9f-7ffd9b8acaaf 103->186 187 7ffd9b8acab0-7ffd9b8acab4 103->187 114 7ffd9b8acba7-7ffd9b8acbad 105->114 115 7ffd9b8acb6a-7ffd9b8acba2 105->115 145 7ffd9b8acb10-7ffd9b8acb1b call 7ffd9b8aa9e8 106->145 123 7ffd9b8acbaf-7ffd9b8acc1f call 7ffd9b8aa9e8 114->123 124 7ffd9b8acc24-7ffd9b8acc2a 114->124 115->37 123->37 130 7ffd9b8acc2c-7ffd9b8acc99 call 7ffd9b8aa9e8 124->130 131 7ffd9b8acc9e-7ffd9b8acca4 124->131 130->37 138 7ffd9b8acca6-7ffd9b8acd14 call 7ffd9b8aa9e8 131->138 139 7ffd9b8acd19-7ffd9b8acd1f 131->139 132->44 288 7ffd9b8ac6af 132->288 133->37 138->37 146 7ffd9b8acd25-7ffd9b8acd82 call 7ffd9b8aa9e8 call 7ffd9b8a4a50 139->146 147 7ffd9b8acdfb-7ffd9b8ace01 139->147 182 7ffd9b8acb1c-7ffd9b8acb29 145->182 146->37 294 7ffd9b8acd88-7ffd9b8acdf4 call 7ffd9b8a0ac8 146->294 153 7ffd9b8ace07-7ffd9b8ace64 call 7ffd9b8aa9e8 call 7ffd9b8a4a50 147->153 154 7ffd9b8acedd-7ffd9b8acee3 147->154 153->37 307 7ffd9b8ace6a-7ffd9b8aced6 call 7ffd9b8a0ac8 153->307 166 7ffd9b8acf07-7ffd9b8acf0d 154->166 167 7ffd9b8acee5-7ffd9b8acf02 call 7ffd9b8aabf8 154->167 160->161 162 7ffd9b8ad590-7ffd9b8ad596 160->162 163 7ffd9b8ad5b7-7ffd9b8ad5bd 161->163 164 7ffd9b8ad5a3-7ffd9b8ad5b2 161->164 174 7ffd9b8ad658-7ffd9b8ad6a0 162->174 176 7ffd9b8ad609-7ffd9b8ad60f 163->176 177 7ffd9b8ad5bf-7ffd9b8ad607 call 7ffd9b8aa9e8 163->177 164->174 179 7ffd9b8ad03e-7ffd9b8ad044 166->179 180 7ffd9b8acf13-7ffd9b8acf70 call 7ffd9b8aa9e8 call 7ffd9b8a4a50 166->180 167->37 176->174 193 7ffd9b8ad611-7ffd9b8ad656 call 7ffd9b8aa9e8 176->193 177->174 198 7ffd9b8ad175-7ffd9b8ad17b 179->198 199 7ffd9b8ad04a-7ffd9b8ad0a7 call 7ffd9b8aa9e8 call 7ffd9b8a4a50 179->199 180->37 319 7ffd9b8acf76-7ffd9b8ad033 call 7ffd9b8aabf8 call 7ffd9b8a0ac8 180->319 222 7ffd9b8acb2b-7ffd9b8acb3b 182->222 223 7ffd9b8acb3c-7ffd9b8acb46 182->223 186->187 187->145 211 7ffd9b8acab6-7ffd9b8acaba 187->211 193->174 203 7ffd9b8ad2aa-7ffd9b8ad2b0 198->203 204 7ffd9b8ad181-7ffd9b8ad1dc call 7ffd9b8aa9e8 call 7ffd9b8a4a50 198->204 199->37 323 7ffd9b8ad0ad-7ffd9b8ad0b8 199->323 214 7ffd9b8ad2d4-7ffd9b8ad2da 203->214 215 7ffd9b8ad2b2-7ffd9b8ad2cf call 7ffd9b8aabf8 203->215 204->37 332 7ffd9b8ad1e2-7ffd9b8ad29f call 7ffd9b8aabf8 call 7ffd9b8a0ac8 204->332 226 7ffd9b8acacc-7ffd9b8acace 211->226 227 7ffd9b8acabc-7ffd9b8acac1 211->227 229 7ffd9b8ad2dc-7ffd9b8ad2f9 call 7ffd9b8aabf8 214->229 230 7ffd9b8ad2fe-7ffd9b8ad304 214->230 215->37 222->223 251 7ffd9b8acb58-7ffd9b8acb5d 223->251 252 7ffd9b8acb48-7ffd9b8acb4d 223->252 226->182 273 7ffd9b8acad0-7ffd9b8acad1 226->273 239 7ffd9b8acac3-7ffd9b8acacb 227->239 240 7ffd9b8acad4 227->240 229->37 249 7ffd9b8ad345-7ffd9b8ad34b 230->249 250 7ffd9b8ad306-7ffd9b8ad340 230->250 239->226 240->102 254 7ffd9b8ad34d-7ffd9b8ad3bf call 7ffd9b8aa9e8 249->254 255 7ffd9b8ad3c4-7ffd9b8ad3ca 249->255 250->37 251->37 264 7ffd9b8acb4f-7ffd9b8acb57 252->264 265 7ffd9b8acb60 252->265 254->37 275 7ffd9b8ad43c-7ffd9b8ad442 255->275 276 7ffd9b8ad3cc-7ffd9b8ad43a call 7ffd9b8aa9e8 255->276 264->251 265->105 273->37 275->37 292 7ffd9b8ad444-7ffd9b8ad4ab call 7ffd9b8aa9e8 275->292 276->37 288->37 292->37 371 7ffd9b8acdf6 294->371 374 7ffd9b8aced8 307->374 403 7ffd9b8ad039 319->403 336 7ffd9b8ad0ba-7ffd9b8ad10c 323->336 337 7ffd9b8ad10e-7ffd9b8ad16a call 7ffd9b8aabf8 call 7ffd9b8a0ac8 323->337 405 7ffd9b8ad2a5 332->405 336->337 337->323 392 7ffd9b8ad170 337->392 371->37 374->37 392->37 403->37 405->37
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2921901333.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8a0000_17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac175.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L
                                      • API String ID: 0-2909332022
                                      • Opcode ID: 0ecbda2623d714e5454224837b8b4454dde328173151935bba838df6f01870f4
                                      • Instruction ID: a011ad51460647c4696b3e46000574e5fc1edfdf62463fd43f3d83e81d48c1a9
                                      • Opcode Fuzzy Hash: 0ecbda2623d714e5454224837b8b4454dde328173151935bba838df6f01870f4
                                      • Instruction Fuzzy Hash: ABB2F821B1D94D4FEB6CEB6C94A5A7973D2EFA8310F1541BAD01EC32E7DD28B8428741
                                      Function 00007FFD9B8A30E2 Relevance: 2.0, Strings: 1, Instructions: 748COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 7ffd9b8a30e2-7ffd9b8a3142 413 7ffd9b8a3148-7ffd9b8a31ed 406->413 414 7ffd9b8a3381-7ffd9b8a33c2 call 7ffd9b8a1998 406->414 442 7ffd9b8a32b3 413->442 443 7ffd9b8a31f3-7ffd9b8a32a0 413->443 422 7ffd9b8a33d7-7ffd9b8a33e0 414->422 423 7ffd9b8a33c4-7ffd9b8a33d5 414->423 426 7ffd9b8a33e8-7ffd9b8a3404 422->426 423->426 432 7ffd9b8a3406-7ffd9b8a3417 426->432 433 7ffd9b8a3419-7ffd9b8a341e 426->433 436 7ffd9b8a3425-7ffd9b8a348b call 7ffd9b8a19a8 call 7ffd9b8a19b8 432->436 433->436 457 7ffd9b8a3512 436->457 458 7ffd9b8a3491-7ffd9b8a34dd 436->458 447 7ffd9b8a32b8-7ffd9b8a32df 442->447 443->442 483 7ffd9b8a32a2-7ffd9b8a32ad 443->483 464 7ffd9b8a32e1-7ffd9b8a32ef 447->464 461 7ffd9b8a3517-7ffd9b8a353f 457->461 458->457 485 7ffd9b8a34df-7ffd9b8a350b 458->485 489 7ffd9b8a3541-7ffd9b8a3558 call 7ffd9b8a38d5 461->489 471 7ffd9b8a3365-7ffd9b8a337c 464->471 472 7ffd9b8a32f1-7ffd9b8a330b 464->472 479 7ffd9b8a3559-7ffd9b8a356a 471->479 472->479 481 7ffd9b8a3311-7ffd9b8a332c 472->481 491 7ffd9b8a3570-7ffd9b8a365e call 7ffd9b8a19c8 call 7ffd9b8a19d8 479->491 492 7ffd9b8a3891 479->492 488 7ffd9b8a3334-7ffd9b8a3345 481->488 483->447 487 7ffd9b8a32af-7ffd9b8a32b1 483->487 485->461 493 7ffd9b8a350d-7ffd9b8a3510 485->493 487->464 499 7ffd9b8a3347 488->499 500 7ffd9b8a334c-7ffd9b8a335e 488->500 489->479 491->442 518 7ffd9b8a3664-7ffd9b8a3690 491->518 495 7ffd9b8a3898-7ffd9b8a38a4 492->495 493->489 499->479 500->481 501 7ffd9b8a3360 500->501 501->479 520 7ffd9b8a3692-7ffd9b8a3693 518->520 521 7ffd9b8a3695-7ffd9b8a3698 520->521 522 7ffd9b8a369a 521->522 523 7ffd9b8a36d0-7ffd9b8a37a6 call 7ffd9b8a2418 521->523 522->521 524 7ffd9b8a369c-7ffd9b8a36a1 522->524 546 7ffd9b8a37a7-7ffd9b8a37b8 523->546 524->520 528 7ffd9b8a36a3-7ffd9b8a36c5 call 7ffd9b8a1988 call 7ffd9b8a0628 524->528 536 7ffd9b8a36ca 528->536 536->523 549 7ffd9b8a37ba-7ffd9b8a3889 call 7ffd9b8a2418 546->549 559 7ffd9b8a388f 549->559 559->495
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2921901333.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8a0000_17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac175.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,
                                      • API String ID: 0-3772416878
                                      • Opcode ID: 14f751790c1b11d077a519cd3434bc2f5b255bf3b082d163c054129f0e07640d
                                      • Instruction ID: 3fc4b99b3b2d45c52b280c6a1867687cd64eed824653f67c0660e2d4ee23e5e5
                                      • Opcode Fuzzy Hash: 14f751790c1b11d077a519cd3434bc2f5b255bf3b082d163c054129f0e07640d
                                      • Instruction Fuzzy Hash: 4332D331B1990A4FEBACEB6C9475B7977E2FF98310B540579D01EC32D6DE28AC428781
                                      Function 00007FFD9B8A8346 Relevance: .5, Instructions: 470COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 881 7ffd9b8a8346-7ffd9b8a8353 882 7ffd9b8a8355-7ffd9b8a835d 881->882 883 7ffd9b8a835e-7ffd9b8a8427 881->883 882->883 887 7ffd9b8a8429-7ffd9b8a8432 883->887 888 7ffd9b8a8493 883->888 887->888 889 7ffd9b8a8434-7ffd9b8a8440 887->889 890 7ffd9b8a8495-7ffd9b8a84ba 888->890 891 7ffd9b8a8479-7ffd9b8a8491 889->891 892 7ffd9b8a8442-7ffd9b8a8454 889->892 896 7ffd9b8a8526 890->896 897 7ffd9b8a84bc-7ffd9b8a84c5 890->897 891->890 894 7ffd9b8a8458-7ffd9b8a846b 892->894 895 7ffd9b8a8456 892->895 894->894 898 7ffd9b8a846d-7ffd9b8a8475 894->898 895->894 900 7ffd9b8a8528-7ffd9b8a85d0 896->900 897->896 899 7ffd9b8a84c7-7ffd9b8a84d3 897->899 898->891 901 7ffd9b8a84d5-7ffd9b8a84e7 899->901 902 7ffd9b8a850c-7ffd9b8a8524 899->902 911 7ffd9b8a863e 900->911 912 7ffd9b8a85d2-7ffd9b8a85dc 900->912 903 7ffd9b8a84eb-7ffd9b8a84fe 901->903 904 7ffd9b8a84e9 901->904 902->900 903->903 906 7ffd9b8a8500-7ffd9b8a8508 903->906 904->903 906->902 914 7ffd9b8a8640-7ffd9b8a8669 911->914 912->911 913 7ffd9b8a85de-7ffd9b8a85eb 912->913 915 7ffd9b8a85ed-7ffd9b8a85ff 913->915 916 7ffd9b8a8624-7ffd9b8a863c 913->916 921 7ffd9b8a866b-7ffd9b8a8676 914->921 922 7ffd9b8a86d3 914->922 917 7ffd9b8a8603-7ffd9b8a8616 915->917 918 7ffd9b8a8601 915->918 916->914 917->917 920 7ffd9b8a8618-7ffd9b8a8620 917->920 918->917 920->916 921->922 924 7ffd9b8a8678-7ffd9b8a8686 921->924 923 7ffd9b8a86d5-7ffd9b8a8766 922->923 932 7ffd9b8a876c-7ffd9b8a877b 923->932 925 7ffd9b8a8688-7ffd9b8a869a 924->925 926 7ffd9b8a86bf-7ffd9b8a86d1 924->926 927 7ffd9b8a869c 925->927 928 7ffd9b8a869e-7ffd9b8a86b1 925->928 926->923 927->928 928->928 930 7ffd9b8a86b3-7ffd9b8a86bb 928->930 930->926 933 7ffd9b8a877d 932->933 934 7ffd9b8a8783-7ffd9b8a87e8 call 7ffd9b8a8804 932->934 933->934 941 7ffd9b8a87ea 934->941 942 7ffd9b8a87ef-7ffd9b8a8803 934->942 941->942
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2921901333.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8a0000_17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac175.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e097650f13cb9a5bc74cfe997ff3bbb48301cbb40d512687867238290af23f3
                                      • Instruction ID: 8058570578c5b691eb825fa248e7aca68b57b54da9f77e30f71b761c4d036151
                                      • Opcode Fuzzy Hash: 8e097650f13cb9a5bc74cfe997ff3bbb48301cbb40d512687867238290af23f3
                                      • Instruction Fuzzy Hash: 19F1A330A09A4D8FEBA8DF28C8557E937E1FF58310F44426EE84DC7295DF34A9458B92
                                      Function 00007FFD9B8A90F2 Relevance: .5, Instructions: 456COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 943 7ffd9b8a90f2-7ffd9b8a90ff 944 7ffd9b8a910a-7ffd9b8a91d7 943->944 945 7ffd9b8a9101-7ffd9b8a9109 943->945 949 7ffd9b8a91d9-7ffd9b8a91e2 944->949 950 7ffd9b8a9243 944->950 945->944 949->950 951 7ffd9b8a91e4-7ffd9b8a91f0 949->951 952 7ffd9b8a9245-7ffd9b8a926a 950->952 953 7ffd9b8a9229-7ffd9b8a9241 951->953 954 7ffd9b8a91f2-7ffd9b8a9204 951->954 958 7ffd9b8a92d6 952->958 959 7ffd9b8a926c-7ffd9b8a9275 952->959 953->952 956 7ffd9b8a9208-7ffd9b8a921b 954->956 957 7ffd9b8a9206 954->957 956->956 960 7ffd9b8a921d-7ffd9b8a9225 956->960 957->956 962 7ffd9b8a92d8-7ffd9b8a92fd 958->962 959->958 961 7ffd9b8a9277-7ffd9b8a9283 959->961 960->953 963 7ffd9b8a9285-7ffd9b8a9297 961->963 964 7ffd9b8a92bc-7ffd9b8a92d4 961->964 969 7ffd9b8a936b 962->969 970 7ffd9b8a92ff-7ffd9b8a9309 962->970 965 7ffd9b8a929b-7ffd9b8a92ae 963->965 966 7ffd9b8a9299 963->966 964->962 965->965 968 7ffd9b8a92b0-7ffd9b8a92b8 965->968 966->965 968->964 971 7ffd9b8a936d-7ffd9b8a939b 969->971 970->969 972 7ffd9b8a930b-7ffd9b8a9318 970->972 979 7ffd9b8a940b 971->979 980 7ffd9b8a939d-7ffd9b8a93a8 971->980 973 7ffd9b8a931a-7ffd9b8a932c 972->973 974 7ffd9b8a9351-7ffd9b8a9369 972->974 976 7ffd9b8a9330-7ffd9b8a9343 973->976 977 7ffd9b8a932e 973->977 974->971 976->976 978 7ffd9b8a9345-7ffd9b8a934d 976->978 977->976 978->974 982 7ffd9b8a940d-7ffd9b8a94e5 979->982 980->979 981 7ffd9b8a93aa-7ffd9b8a93b8 980->981 983 7ffd9b8a93ba-7ffd9b8a93cc 981->983 984 7ffd9b8a93f1-7ffd9b8a9409 981->984 992 7ffd9b8a94eb-7ffd9b8a94fa 982->992 986 7ffd9b8a93d0-7ffd9b8a93e3 983->986 987 7ffd9b8a93ce 983->987 984->982 986->986 989 7ffd9b8a93e5-7ffd9b8a93ed 986->989 987->986 989->984 993 7ffd9b8a94fc 992->993 994 7ffd9b8a9502-7ffd9b8a9564 call 7ffd9b8a9580 992->994 993->994 1001 7ffd9b8a9566 994->1001 1002 7ffd9b8a956b-7ffd9b8a957f 994->1002 1001->1002
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2921901333.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8a0000_17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac175.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c47d2bdc54d28a51c20136d37d3b4626e624f16fb00497c93b3424b0d9999326
                                      • Instruction ID: d6c2dccab3e1dc0030156526822796b51f51c394cfb46775df19732b07ae3214
                                      • Opcode Fuzzy Hash: c47d2bdc54d28a51c20136d37d3b4626e624f16fb00497c93b3424b0d9999326
                                      • Instruction Fuzzy Hash: 0EE1C330A0CA4E4FEFA8DF28C8697E977E1FF58310F04466ED85DC7295CA7899418B81
                                      Function 00007FFD9B8A29E1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 560 7ffd9b8a29e1-7ffd9b8a2ad0 LoadLibraryA 566 7ffd9b8a2ad8-7ffd9b8a2b31 call 7ffd9b8a2b32 560->566 567 7ffd9b8a2ad2 560->567 567->566
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2921901333.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8a0000_17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac175.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: c3ae6c07c585c6ec0af9737a8b95e525f91bbdf58f2149df3a19a80705316662
                                      • Instruction ID: 366853650cab6e10ef213ef78f82b4d298708148417d41b6c6098867fa2dff27
                                      • Opcode Fuzzy Hash: c3ae6c07c585c6ec0af9737a8b95e525f91bbdf58f2149df3a19a80705316662
                                      • Instruction Fuzzy Hash: 5E417F30A08A1C8FDB98EF98D855BEDBBF1FF99310F1041AAD00DD7296DA75A841CB41
                                      Function 00007FFD9B8A18CA Relevance: 1.6, APIs: 1, Instructions: 140libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 573 7ffd9b8a18ca-7ffd9b8a2ad0 LoadLibraryA 578 7ffd9b8a2ad8-7ffd9b8a2b31 call 7ffd9b8a2b32 573->578 579 7ffd9b8a2ad2 573->579 579->578
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2921901333.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8a0000_17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac175.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 0b0d8cb61d656b69072d886812fdd3803bd1fd53f574f376d197be2fdb0d495b
                                      • Instruction ID: 8a45578f193ec8ff0a38ed6b65f73f7fb21bbd8ba2eab92364360b0c37070204
                                      • Opcode Fuzzy Hash: 0b0d8cb61d656b69072d886812fdd3803bd1fd53f574f376d197be2fdb0d495b
                                      • Instruction Fuzzy Hash: C5415E70A08A1C8FDB98EF98D855BEDB7F1FB59310F10416AD00ED3295DB75A842CB41
                                      Function 00007FFD9B8A2D3D Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 585 7ffd9b8a2d3d-7ffd9b8a2d49 586 7ffd9b8a2d4b-7ffd9b8a2d53 585->586 587 7ffd9b8a2d54-7ffd9b8a2d63 585->587 586->587 588 7ffd9b8a2d65-7ffd9b8a2d6d 587->588 589 7ffd9b8a2d6e-7ffd9b8a2e29 VirtualProtect 587->589 588->589 594 7ffd9b8a2e2b 589->594 595 7ffd9b8a2e31-7ffd9b8a2e59 589->595 594->595
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2921901333.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b8a0000_17345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac175.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 76ffc50c065f495cd767bd6222b5a70f8eac5c7a3a418a41d93f15ee52874c17
                                      • Instruction ID: d45631ac408791fac17e99753fdc16b6e88d04823eef578af4b0e81d508de88a
                                      • Opcode Fuzzy Hash: 76ffc50c065f495cd767bd6222b5a70f8eac5c7a3a418a41d93f15ee52874c17
                                      • Instruction Fuzzy Hash: 4941F73190D7884FDB2D9BA89C566ED7FE0EF56321F0442AFD089C31A3DA746406C796