Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe

Overview

General Information

Sample name:1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
Analysis ID:1579170
MD5:f5133e1d8675aeeeb784dbb29a0a85ed
SHA1:6a29b2ee1ff544e3afbff65dff2b42d040f9f6e5
SHA256:2818cafb3a619f94c43ceac3ed5c778a41228d335b8b2a58287ab843e7ac67f5
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "cooempresasltda104.duckdns.org", "Ports": "8000", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "R3KoTfJBCOGKPcaOhhEOW7Ywvaqyzqrq", "Mutex": "DcRatMutex_qwsafunfaf", "Certificate": "MIICMDCCAZmgAwIBAgIVALv/XcwQnmQIwA3z8xW4ctTaHXVBMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTAyMjIxNTY1NVoXDTMzMDczMTIxNTY1NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIHPo9UElAeRw3cSGFuu04tmut2qVTmi9Jrgi/GqS0nhXmdp7dHiHatr+O8Ky6kFbRw3Od4qorPE48u+VlPHuwGMWSDHWvsNuvisquspvO+bKwNT4Nha26lWX+GEyE6RaYJN4dO3QuL0BxT6wcd6g22ZJl/0uugFGnSbJEm0SRtNAgMBAAGjMjAwMB0GA1UdDgQWBBQbaxfiE1h/zzfdLHK2Y9C2qyy8ITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFcWnogvkrMkdwkiJLc7kR6ntspay88jl/0EkB+JQu9+WJx0poJDW5wTagTKIbPu19sloMAf1rJPmIZ+gn3AhRFowfy+YOT2Bxxjklv9Y+zu3rkXbWcqzH+t4A0V3mbQSgD8K5Ulgrgn35gUcCdC5kymRjwdrKfy3Qk1MIIrtqJP", "ServerSignature": "D9jsax3HNiOk4a69uiOxPMMd8107TZgrjPdFT3hFOIc+zWMltocm/v2gEWco9nOFkPjYTSxele+EioG00X+GAQ42Nyu0rqg2sSJOuSKnFdznA0lbKmtnkSMN43GP5xBMPUAMuiVLchxVHCA4TpBSTL+9wwf/Iyw6Y///3NKWFKg=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65f7:$a1: havecamera
    • 0x9aec:$a2: timeout 3 > NUL
    • 0x9b0c:$a3: START "" "
    • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x9997:$s2: L2Mgc2NodGFza3MgL2
    • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
    1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cce:$q1: Select * from Win32_CacheMemory
    • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa146:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x439:$b2: DcRat By qwqdanchun1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63f7:$a1: havecamera
      • 0x98ec:$a2: timeout 3 > NUL
      • 0x990c:$a3: START "" "
      • 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.2971136177.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x1aec:$b2: DcRat By qwqdanchun1
      00000000.00000002.2972988411.000000001B663000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x1282c:$b2: DcRat By qwqdanchun1
      • 0x1c850:$b2: DcRat By qwqdanchun1
      00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x65f7:$a1: havecamera
          • 0x9aec:$a2: timeout 3 > NUL
          • 0x9b0c:$a3: START "" "
          • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
          • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
          • 0x9997:$s2: L2Mgc2NodGFza3MgL2
          • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
          • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
          0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x9cce:$q1: Select * from Win32_CacheMemory
          • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
          • 0xa146:$s1: DcRatBy

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-20T23:35:07.166244+010020348471Domain Observed Used for C2 Detected152.201.182.1258000192.168.2.449730TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-20T23:35:07.166244+010028424781Malware Command and Control Activity Detected152.201.182.1258000192.168.2.449730TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-20T23:35:07.166244+010028480481Domain Observed Used for C2 Detected152.201.182.1258000192.168.2.449730TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeAvira: detected
          Found malware configuration
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "cooempresasltda104.duckdns.org", "Ports": "8000", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "R3KoTfJBCOGKPcaOhhEOW7Ywvaqyzqrq", "Mutex": "DcRatMutex_qwsafunfaf", "Certificate": "MIICMDCCAZmgAwIBAgIVALv/XcwQnmQIwA3z8xW4ctTaHXVBMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTAyMjIxNTY1NVoXDTMzMDczMTIxNTY1NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIHPo9UElAeRw3cSGFuu04tmut2qVTmi9Jrgi/GqS0nhXmdp7dHiHatr+O8Ky6kFbRw3Od4qorPE48u+VlPHuwGMWSDHWvsNuvisquspvO+bKwNT4Nha26lWX+GEyE6RaYJN4dO3QuL0BxT6wcd6g22ZJl/0uugFGnSbJEm0SRtNAgMBAAGjMjAwMB0GA1UdDgQWBBQbaxfiE1h/zzfdLHK2Y9C2qyy8ITAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFcWnogvkrMkdwkiJLc7kR6ntspay88jl/0EkB+JQu9+WJx0poJDW5wTagTKIbPu19sloMAf1rJPmIZ+gn3AhRFowfy+YOT2Bxxjklv9Y+zu3rkXbWcqzH+t4A0V3mbQSgD8K5Ulgrgn35gUcCdC5kymRjwdrKfy3Qk1MIIrtqJP", "ServerSignature": "D9jsax3HNiOk4a69uiOxPMMd8107TZgrjPdFT3hFOIc+zWMltocm/v2gEWco9nOFkPjYTSxele+EioG00X+GAQ42Nyu0rqg2sSJOuSKnFdznA0lbKmtnkSMN43GP5xBMPUAMuiVLchxVHCA4TpBSTL+9wwf/Iyw6Y///3NKWFKg=", "BDOS": "null", "External_config_on_Pastebin": "false"}
          Multi AV Scanner detection for submitted file
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeReversingLabs: Detection: 81%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeJoe Sandbox ML: detected
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 152.201.182.125:8000 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 152.201.182.125:8000 -> 192.168.2.4:49730
          Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 152.201.182.125:8000 -> 192.168.2.4:49730
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: cooempresasltda104.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: cooempresasltda104.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 152.201.182.125:8000
          Source: Joe Sandbox ViewASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: cooempresasltda104.duckdns.org
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971136177.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2970957557.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2972988411.000000001B6AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2971136177.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2972988411.000000001B663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeCode function: 0_2_00007FFD9B7C83460_2_00007FFD9B7C8346
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeCode function: 0_2_00007FFD9B7C30E20_2_00007FFD9B7C30E2
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeCode function: 0_2_00007FFD9B7C90F20_2_00007FFD9B7C90F2
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000000.1715708233.000000000091E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeBinary or memory string: OriginalFilenameClient.exe" vs 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2971136177.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2972988411.000000001B663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, Settings.csBase64 encoded string: 'tjEwRGkfSeOcna4TWq3qobmVgzepfxFCTD2r+p5HvJgkttxqRE0ZwQX3WEGvp7lxPjgS6WHhWT2B1CQrgRDu9Q==', 'tqrSIEgkaYd7JSqCEI1zStbTQ+kXp13MvpIPc2SzQZBdEq6Sdx00yDYUDslsCxyQf0IviU8r8yuJavmiGylXSYu0ZBHoCeqP/MOMgonAJ5E=', 'ziCHEv078O87BJK9JckbY8LlYLe+zbKzlZNgKG+qWxNJooUxdN8TaQCZIzn/Elaqdaj1AGfEPdE9FyP9NF5DJw==', 'vu2CzjLmYF0cFAJKVseeXd8+zmN8n9NGbe3QVg9FBA642ysHPOOI30zRBe2a42C+Cwi+jfmB/5NzvzzQMwb8LXmeAyCpF7QN4ki6CG3SwluKXQCcMUqa1vIKPof6KfUgCbrcrP24VLDOS/OF3Tb+LDJXOw7Z3K4t8E/SdBzqv597iQUOj2D8tU8sKyvJSU6TDWIzR3fAgz8kK+09CYUn5/+ucNpEGSWuEESxv0kGOt38dx5eEef9zjnIpio7TjgOef0uRk8At9t8fHBAkao5hQhwoFM0Q2LcXfuxaB2575jPjBD/T7g0J6DUL1WQ/fwHWH5ZLUb2/R3gx6l8ee3CakcBpAVdBLctS/WGETmsdWlX8zK5D76N6Oq2n4zzWN5XuDzdtxjv0PfXO61B/9VmDevLYOta4lMGEarYi9aoHZROH+rh2IboctUxkoxTdATT+4RB/0Bcu9z6d2/RqT/np7NVYc4KqnOsD4V0zTvc0UmP8jKYM+BweahXQGsT7RLQT9SbzhAVylaJIUH2wV9dJ/Yxnj7x26wz23/7Hwa+b1EZ6LqI1QjUTkWlb6da7gvB75PfVPpX0ghIjQznkdilMEqjrv+YFR3Uj2/Qcmnh4HuRJxSeGP6BgPjwfma+08rCcLTprTl8ySvF1AHsAWSl25AKlJJO+XGgMyieBxMKovEPAsYhmsmyYc6uROzM2iJyti3wNo/Tl8QyXm9Ha5J6HSbz5fybzu1xKm2/hy4hnMb9rx5iTwaVe81KobUtIWCkdHLc1NdlYOqG8YBGaTBZqBPp2TwZtJKowixWj5K+mSBXWOfUeNtDyxJkIMlPmnUQbYI9Q6YriehF5GEbCl+8LN2PMD3HsckLQqvoJ+QMj759jSh/MoHDfn8114I9r9rebNNSvVUOTrprJBt+2M5W6ArQpmcD0rHwOjPGeO9ViNKtR5Nw5zIf9fKdkwKFYgT8VaN1QhmTkzRyCyDScVaril3MWPtuYOh8lVR2Cxlagl21f/BEnvutLsTZxtJU3XHj90R9ZN0Bp/0qd448njFNVDk0LBOB9JDtO9vapYdIrkBHVRgoMwaV8G4x1rGK0s0o', 'jxizh/L90okz27aoXurp95CL3lqdzflB2aZ3wViqQ/Zi0Q2eV5sWk/Cmc7IsGnrv/qthtINghktPZnHHhqnxZibkLF0pwLCVT7pw5Ez10EokfpBqonDe2CPuKm/1n9dgFkBXzDZWkAh0Em55GSOdgwINcsf2AF3dburHUcT8DX0qae1YoARPmq+IMnKXoFJtg5/xxVBQeQqr6CYLEAFV5TNyA2Yj7wAfhX0hGzieomFs0a31ium72qvZQWQn5hn92/UVUS7agaY1++p9IWpcC5JLeBHxpPWFYU4E/fuUZxM=', 'tvHbTcbHy8fyr3gsL5P4vuSHEJJLmWMsRFSm6iVSzpQ8IM9ngORvO17gIC+pqkBoVqFdUvGhK0Glm+qvxwBVmg==', 'XJ0QlKXv2TO5JZIqAStAknH9p6iC6hwIuvFyrE/pLiFClVI90powJQVIMSnXOqu9MJ96LanuKMiz+LsDEyz6zg==', 'uK3xKFUSu9lU8KN0sQawetHYn8caeE5iC905fIZvG7arlj9qrDNit5QoiJ80CzYe5yp63QBkRe9H/3yJGbYVCQ==', 'MzcOGunrUoJumR3r51W2W+cXw402r2OmLpTjjKgyt16dHyIXKb7amynWzrPEH6fgbyqiUG+r/KLBHFEf4OVxjg=='
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeMutant created: NULL
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwsafunfaf
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeReversingLabs: Detection: 81%
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTR
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeMemory allocated: 1AB20000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeWindow / User API: threadDelayed 1464Jump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeWindow / User API: threadDelayed 8396Jump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe TID: 7616Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe TID: 7636Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe TID: 7644Thread sleep count: 1464 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe TID: 7644Thread sleep count: 8396 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2972783220.000000001B48D000.00000004.00000020.00020000.00000000.sdmp, 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2972988411.000000001B663000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe.910000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTR
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971136177.0000000000FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe PID: 7524, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		1
          Process Injection          		1
          Disable or Modify Tools          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		31
          Virtualization/Sandbox Evasion          		LSASS Memory121
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)1
          DLL Side-Loading          		1
          Process Injection          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Obfuscated Files or Information          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture21
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe82%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
          1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe100%AviraHEUR/AGEN.1307404
          1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.210.172
          		truefalse
            		high
            cooempresasltda104.duckdns.org
            		152.201.182.125
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              cooempresasltda104.duckdns.orgtrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe, 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  152.201.182.125
                  		cooempresasltda104.duckdns.orgColombia
                  		3816COLOMBIATELECOMUNICACIONESSAESPCOtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1579170
                  Start date and time:2024-12-20 23:34:06 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 28s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/2@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 5
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 199.232.210.172, 20.12.23.50, 13.107.246.63
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  17:35:08API Interceptor2x Sleep call for process: 1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  bg.microsoft.map.fastly.net1734732186278e5c87d1a316617c1125acd5c32aedeebfd021b1e761647265ea7426c527bd565.dat-decoded.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                  • 199.232.214.172
                  Statements.pdfGet hashmaliciousWinSearchAbuseBrowse
                  • 199.232.210.172
                  INVOICE_2279_from_RealEyes Digital LLC (1).pdfGet hashmaliciousUnknownBrowse
                  • 199.232.214.172
                  Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                  • 199.232.210.172
                  BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                  • 199.232.214.172
                  MS100384UTC.xlsGet hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  SWIFT.xlsGet hashmaliciousUnknownBrowse
                  • 199.232.214.172
                  tmp.zipGet hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                  • 199.232.210.172
                  https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2FpaymentGet hashmaliciousHTMLPhisherBrowse
                  • 199.232.214.172

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  COLOMBIATELECOMUNICACIONESSAESPCOspc.elfGet hashmaliciousMirai, MoobotBrowse
                  • 152.201.10.76
                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 186.170.74.36
                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 186.115.135.148
                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 181.236.40.93
                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 190.67.61.187
                  3.elfGet hashmaliciousUnknownBrowse
                  • 186.114.208.207
                  la.bot.mips.elfGet hashmaliciousMiraiBrowse
                  • 186.170.23.161
                  la.bot.arm.elfGet hashmaliciousMiraiBrowse
                  • 186.174.70.127
                  la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                  • 186.170.251.19
                  1.elfGet hashmaliciousUnknownBrowse
                  • 186.170.29.20

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                  Category:dropped
                  Size (bytes):71954
                  Entropy (8bit):7.996617769952133
                  Encrypted:true
                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):328
                  Entropy (8bit):3.22029273337435
                  Encrypted:false
                  SSDEEP:6:kKNWkT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:IdDImsLNkPlE99SNxAhUe/3
                  MD5:09D4B6651309BF4D539632EEAE46DCCE
                  SHA1:CAEEC27502E0D1DE3DB295ED2441E25093653052
                  SHA-256:DD8E383A1B9C7721BF1C5A89D974748181A0EA3048C17ADD8551FA3F295B44A5
                  SHA-512:44BEBE04F73AA9714192277066ADDEF2DF4E0249BE3BC0753F406AE7AA5FFDA4A37377C031F6A4C4FCE1A5620FB641230FCBE2A2A1442AA8E1B6424E75633DDB
                  Malicious:false
                  Reputation:low
                  Preview:p...... ........V.hl/S..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.618861174822197
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
                  File size:48'640 bytes
                  MD5:f5133e1d8675aeeeb784dbb29a0a85ed
                  SHA1:6a29b2ee1ff544e3afbff65dff2b42d040f9f6e5
                  SHA256:2818cafb3a619f94c43ceac3ed5c778a41228d335b8b2a58287ab843e7ac67f5
                  SHA512:e41ba438719aa52034a2325d1a0f8e725be906227be6954e4ef81fb7deec364daf9cc8ad528399d8e926afad25bf098b37fbdda981e7a8f914150603e5ef6b4f
                  SSDEEP:768:xGq+s3pUtDILNCCa+DihrbKqaGT2iMc8YbugetixpEbQvEgK/JLZVc6KN:8q+AGtQOh2GLzbRrWbQnkJLZVclN
                  TLSH:FB236C4037988136E2FD87B5ADF3A2418279D26B6903C6596CC814EA2B13FC597136FE
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0x40cbbe
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xcb680x53.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xabc40xac00e9a6da83b961e13e35a7260d2451e4deFalse0.5032022165697675data5.6436477307501205IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x100000xc0x20082148d01c3935cf90ef81a3dd1fad607False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0xe0a00x2d4data0.4350828729281768
                  RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-12-20T23:35:07.166244+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1152.201.182.1258000192.168.2.449730TCP
                  2024-12-20T23:35:07.166244+01002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)1152.201.182.1258000192.168.2.449730TCP
                  2024-12-20T23:35:07.166244+01002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)1152.201.182.1258000192.168.2.449730TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 20, 2024 23:35:05.669251919 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:05.789227962 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:05.789324045 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:05.816263914 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:05.936311960 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:07.036736965 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:07.046544075 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:07.166244030 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:07.445077896 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:07.499416113 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:10.038464069 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:10.158371925 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:10.158442974 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:10.278219938 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:13.301902056 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:13.343240023 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:13.493767023 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:13.546298027 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:21.832026005 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:21.951833963 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:21.951924086 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:22.071549892 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:22.350502968 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:22.390095949 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:22.542627096 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:22.545428038 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:22.665232897 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:22.665312052 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:22.785063028 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:33.625180006 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:33.744930983 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:33.745012045 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:33.864624023 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:34.141292095 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:34.187014103 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:34.333319902 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:34.335381985 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:34.454931974 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:34.455035925 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:34.574721098 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:43.301249981 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:43.343261957 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:43.493074894 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:43.546540976 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:45.422506094 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:45.542766094 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:45.543070078 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:45.662753105 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:45.941446066 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:45.983937025 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:46.133402109 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:46.135127068 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:46.254781008 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:46.254892111 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:46.374471903 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:57.218784094 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:57.338445902 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:57.338659048 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:57.459166050 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:57.904007912 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:57.928462982 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:57.928754091 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:57.931077003 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:58.050611019 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:35:58.050713062 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:35:58.170193911 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:09.015724897 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:09.135461092 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:09.135574102 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:09.255148888 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:09.532166004 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:09.577711105 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:09.724319935 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:09.726353884 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:09.846045017 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:09.846146107 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:09.965717077 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:13.315807104 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:13.358978033 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:13.507877111 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:13.562155008 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:20.812684059 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:20.933480024 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:20.933559895 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:21.053363085 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:21.348161936 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:21.390237093 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:21.540194035 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:21.542366028 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:21.661864042 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:21.662058115 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:21.781569004 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:32.625456095 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:32.745076895 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:32.745160103 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:32.864856958 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:33.146454096 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:33.187184095 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:33.338520050 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:33.340586901 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:33.460167885 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:33.460259914 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:33.596883059 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:43.302067041 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:43.343516111 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:43.494045019 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:43.546550035 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:44.406367064 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:44.525989056 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:44.526067972 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:44.645625114 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:44.926901102 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:44.968415976 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:45.119772911 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:45.123374939 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:45.242861032 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:45.242922068 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:45.362446070 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:56.203280926 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:56.322815895 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:56.322897911 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:56.442493916 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:56.719712019 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:56.765364885 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:56.911578894 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:56.913292885 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:57.032851934 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:36:57.032939911 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:36:57.152744055 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:37:08.078200102 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:37:08.197812080 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:37:08.197993040 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:37:08.317533970 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:37:08.595659971 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:37:08.640399933 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:37:08.790271044 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:37:08.843480110 CET497308000192.168.2.4152.201.182.125
                  Dec 20, 2024 23:37:09.369056940 CET800049730152.201.182.125192.168.2.4
                  Dec 20, 2024 23:37:09.369122028 CET497308000192.168.2.4152.201.182.125

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 20, 2024 23:35:05.342511892 CET5224453192.168.2.41.1.1.1
                  Dec 20, 2024 23:35:05.662796021 CET53522441.1.1.1192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Dec 20, 2024 23:35:05.342511892 CET192.168.2.41.1.1.10x3299Standard query (0)cooempresasltda104.duckdns.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Dec 20, 2024 23:35:05.662796021 CET1.1.1.1192.168.2.40x3299No error (0)cooempresasltda104.duckdns.org152.201.182.125A (IP address)IN (0x0001)false
                  Dec 20, 2024 23:35:07.662291050 CET1.1.1.1192.168.2.40x12cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                  Dec 20, 2024 23:35:07.662291050 CET1.1.1.1192.168.2.40x12cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:17:35:01
                  Start date:20/12/2024
                  Path:C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d91fd2237.dat-decoded.exe"
                  Imagebase:0x910000
                  File size:48'640 bytes
                  MD5 hash:F5133E1D8675AEEEB784DBB29A0A85ED
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1715668106.0000000000912000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2971136177.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2972988411.000000001B663000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2971404801.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2971404801.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:20.3%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:6
                    Total number of Limit Nodes:0
                    execution_graph 4331 7ffd9b7c2d3d 4332 7ffd9b7c2d4b VirtualProtect 4331->4332 4334 7ffd9b7c2e2b 4332->4334 4327 7ffd9b7c29e1 4328 7ffd9b7c29eb LoadLibraryA 4327->4328 4330 7ffd9b7c2ad2 4328->4330

                    Executed Functions

                    Function 00007FFD9B7C30E2 Relevance: 2.0, Strings: 1, Instructions: 758COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 5 7ffd9b7c30e2-7ffd9b7c3142 12 7ffd9b7c3148-7ffd9b7c31ed 5->12 13 7ffd9b7c3381-7ffd9b7c33c2 call 7ffd9b7c1998 5->13 42 7ffd9b7c32b3 12->42 43 7ffd9b7c31f3-7ffd9b7c32a0 12->43 21 7ffd9b7c33d7-7ffd9b7c33e0 13->21 22 7ffd9b7c33c4-7ffd9b7c33d5 13->22 25 7ffd9b7c33e8-7ffd9b7c3404 21->25 22->25 31 7ffd9b7c3406-7ffd9b7c3417 25->31 32 7ffd9b7c3419-7ffd9b7c341e 25->32 35 7ffd9b7c3425-7ffd9b7c348b call 7ffd9b7c19a8 call 7ffd9b7c19b8 31->35 32->35 57 7ffd9b7c3512 35->57 58 7ffd9b7c3491-7ffd9b7c34dd 35->58 46 7ffd9b7c32b8-7ffd9b7c32df 42->46 43->42 84 7ffd9b7c32a2-7ffd9b7c32ad 43->84 64 7ffd9b7c32e1-7ffd9b7c32ef 46->64 61 7ffd9b7c3517-7ffd9b7c353f 57->61 58->57 83 7ffd9b7c34df-7ffd9b7c350b 58->83 86 7ffd9b7c3541-7ffd9b7c3558 call 7ffd9b7c38d5 61->86 70 7ffd9b7c3365-7ffd9b7c337c 64->70 71 7ffd9b7c32f1-7ffd9b7c330b 64->71 78 7ffd9b7c3559-7ffd9b7c356a 70->78 71->78 79 7ffd9b7c3311-7ffd9b7c332c 71->79 90 7ffd9b7c3570-7ffd9b7c365e call 7ffd9b7c19c8 call 7ffd9b7c19d8 78->90 91 7ffd9b7c3891 78->91 85 7ffd9b7c3334-7ffd9b7c3345 79->85 83->61 94 7ffd9b7c350d-7ffd9b7c3510 83->94 84->46 88 7ffd9b7c32af-7ffd9b7c32b1 84->88 97 7ffd9b7c3347 85->97 98 7ffd9b7c334c-7ffd9b7c335e 85->98 86->78 88->64 90->42 117 7ffd9b7c3664-7ffd9b7c3690 90->117 95 7ffd9b7c3898-7ffd9b7c38a4 91->95 94->86 97->78 98->79 100 7ffd9b7c3360 98->100 100->78 119 7ffd9b7c3692-7ffd9b7c3698 117->119 120 7ffd9b7c369a-7ffd9b7c36a1 119->120 121 7ffd9b7c36d0-7ffd9b7c37a6 call 7ffd9b7c2418 119->121 120->119 124 7ffd9b7c36a3-7ffd9b7c36c5 call 7ffd9b7c1988 call 7ffd9b7c0628 120->124 143 7ffd9b7c37a7-7ffd9b7c37b8 121->143 133 7ffd9b7c36ca 124->133 133->121 146 7ffd9b7c37ba-7ffd9b7c3889 call 7ffd9b7c2418 143->146 156 7ffd9b7c388f 146->156 156->95
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2974038598.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b7c0000_1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d9.jbxd
                    Similarity
                    • API ID:
                    • String ID: ,
                    • API String ID: 0-3772416878
                    • Opcode ID: 3be560a21070ff3855f46e4e33aadbf3c6750b54b7d867b3a3b36a46de7e9f10
                    • Instruction ID: 0deb9171e7aa830dd7378accd6ef88c19ecdcd5ea55381a8082b60a5b7f475ae
                    • Opcode Fuzzy Hash: 3be560a21070ff3855f46e4e33aadbf3c6750b54b7d867b3a3b36a46de7e9f10
                    • Instruction Fuzzy Hash: 8432E731B19A494FEB68FB689465AB973D1EF98310F52067DE05EC33E6CE38AC418741
                    Function 00007FFD9B7C8346 Relevance: .5, Instructions: 472COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 282 7ffd9b7c8346-7ffd9b7c8353 283 7ffd9b7c8355-7ffd9b7c835d 282->283 284 7ffd9b7c835e-7ffd9b7c8427 282->284 283->284 288 7ffd9b7c8429-7ffd9b7c8432 284->288 289 7ffd9b7c8493 284->289 288->289 290 7ffd9b7c8434-7ffd9b7c8440 288->290 291 7ffd9b7c8495-7ffd9b7c84ba 289->291 292 7ffd9b7c8479-7ffd9b7c8491 290->292 293 7ffd9b7c8442-7ffd9b7c8454 290->293 298 7ffd9b7c84bc-7ffd9b7c84c5 291->298 299 7ffd9b7c8526 291->299 292->291 294 7ffd9b7c8456 293->294 295 7ffd9b7c8458-7ffd9b7c846b 293->295 294->295 295->295 297 7ffd9b7c846d-7ffd9b7c8475 295->297 297->292 298->299 301 7ffd9b7c84c7-7ffd9b7c84d3 298->301 300 7ffd9b7c8528-7ffd9b7c85d0 299->300 312 7ffd9b7c85d2-7ffd9b7c85dc 300->312 313 7ffd9b7c863e 300->313 302 7ffd9b7c850c-7ffd9b7c8524 301->302 303 7ffd9b7c84d5-7ffd9b7c84e7 301->303 302->300 305 7ffd9b7c84e9 303->305 306 7ffd9b7c84eb-7ffd9b7c84fe 303->306 305->306 306->306 308 7ffd9b7c8500-7ffd9b7c8508 306->308 308->302 312->313 315 7ffd9b7c85de-7ffd9b7c85eb 312->315 314 7ffd9b7c8640-7ffd9b7c8669 313->314 322 7ffd9b7c866b-7ffd9b7c8676 314->322 323 7ffd9b7c86d3 314->323 316 7ffd9b7c8624-7ffd9b7c863c 315->316 317 7ffd9b7c85ed-7ffd9b7c85ff 315->317 316->314 319 7ffd9b7c8601 317->319 320 7ffd9b7c8603-7ffd9b7c8616 317->320 319->320 320->320 321 7ffd9b7c8618-7ffd9b7c8620 320->321 321->316 322->323 324 7ffd9b7c8678-7ffd9b7c8686 322->324 325 7ffd9b7c86d5-7ffd9b7c8766 323->325 326 7ffd9b7c8688-7ffd9b7c869a 324->326 327 7ffd9b7c86bf-7ffd9b7c86d1 324->327 333 7ffd9b7c876c-7ffd9b7c877b 325->333 329 7ffd9b7c869c 326->329 330 7ffd9b7c869e-7ffd9b7c86b1 326->330 327->325 329->330 330->330 331 7ffd9b7c86b3-7ffd9b7c86bb 330->331 331->327 334 7ffd9b7c8783-7ffd9b7c87e8 call 7ffd9b7c8804 333->334 335 7ffd9b7c877d 333->335 342 7ffd9b7c87ea 334->342 343 7ffd9b7c87ef-7ffd9b7c8803 334->343 335->334 342->343
                    Memory Dump Source
                    • Source File: 00000000.00000002.2974038598.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b7c0000_1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d9.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2959bf9c243e3d6a669f1e6e5628fd278a3ba0c70f71e20ea2ed63e1bbd4fde9
                    • Instruction ID: a3e8f3a577196adf1b7fda712ad7497087179f47011282dddd6ef6cd3154d14e
                    • Opcode Fuzzy Hash: 2959bf9c243e3d6a669f1e6e5628fd278a3ba0c70f71e20ea2ed63e1bbd4fde9
                    • Instruction Fuzzy Hash: 57F19330A09A8D8FEBA8EF28C855BF937D1FF54310F04426EE84DC72A5DB7499418B81
                    Function 00007FFD9B7C90F2 Relevance: .5, Instructions: 458COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 344 7ffd9b7c90f2-7ffd9b7c90ff 345 7ffd9b7c910a-7ffd9b7c91d7 344->345 346 7ffd9b7c9101-7ffd9b7c9109 344->346 350 7ffd9b7c91d9-7ffd9b7c91e2 345->350 351 7ffd9b7c9243 345->351 346->345 350->351 352 7ffd9b7c91e4-7ffd9b7c91f0 350->352 353 7ffd9b7c9245-7ffd9b7c926a 351->353 354 7ffd9b7c9229-7ffd9b7c9241 352->354 355 7ffd9b7c91f2-7ffd9b7c9204 352->355 359 7ffd9b7c926c-7ffd9b7c9275 353->359 360 7ffd9b7c92d6 353->360 354->353 356 7ffd9b7c9206 355->356 357 7ffd9b7c9208-7ffd9b7c921b 355->357 356->357 357->357 361 7ffd9b7c921d-7ffd9b7c9225 357->361 359->360 362 7ffd9b7c9277-7ffd9b7c9283 359->362 363 7ffd9b7c92d8-7ffd9b7c92fd 360->363 361->354 364 7ffd9b7c92bc-7ffd9b7c92d4 362->364 365 7ffd9b7c9285-7ffd9b7c9297 362->365 370 7ffd9b7c936b 363->370 371 7ffd9b7c92ff-7ffd9b7c9309 363->371 364->363 366 7ffd9b7c9299 365->366 367 7ffd9b7c929b-7ffd9b7c92ae 365->367 366->367 367->367 369 7ffd9b7c92b0-7ffd9b7c92b8 367->369 369->364 372 7ffd9b7c936d-7ffd9b7c939b 370->372 371->370 373 7ffd9b7c930b-7ffd9b7c9318 371->373 380 7ffd9b7c940b 372->380 381 7ffd9b7c939d-7ffd9b7c93a8 372->381 374 7ffd9b7c931a-7ffd9b7c932c 373->374 375 7ffd9b7c9351-7ffd9b7c9369 373->375 377 7ffd9b7c932e 374->377 378 7ffd9b7c9330-7ffd9b7c9343 374->378 375->372 377->378 378->378 379 7ffd9b7c9345-7ffd9b7c934d 378->379 379->375 383 7ffd9b7c940d-7ffd9b7c94e5 380->383 381->380 382 7ffd9b7c93aa-7ffd9b7c93b8 381->382 384 7ffd9b7c93ba-7ffd9b7c93cc 382->384 385 7ffd9b7c93f1-7ffd9b7c9409 382->385 393 7ffd9b7c94eb-7ffd9b7c94fa 383->393 387 7ffd9b7c93ce 384->387 388 7ffd9b7c93d0-7ffd9b7c93e3 384->388 385->383 387->388 388->388 390 7ffd9b7c93e5-7ffd9b7c93ed 388->390 390->385 394 7ffd9b7c94fc 393->394 395 7ffd9b7c9502-7ffd9b7c9564 call 7ffd9b7c9580 393->395 394->395 402 7ffd9b7c956b-7ffd9b7c957f 395->402 403 7ffd9b7c9566 395->403 403->402
                    Memory Dump Source
                    • Source File: 00000000.00000002.2974038598.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b7c0000_1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d9.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7103177ab9645ba7c88675c43106991c3e37c1934cd78ebc4d32351cfac8c064
                    • Instruction ID: c7680589863681e7a5ff36f413bacc52c59ef43742ec4f0dd8c9f1ed3a2a3915
                    • Opcode Fuzzy Hash: 7103177ab9645ba7c88675c43106991c3e37c1934cd78ebc4d32351cfac8c064
                    • Instruction Fuzzy Hash: 3FE1B530A09A8D8FEBA9EF28C8597F977D1FB55310F04426ED84DC72A5CB7899418781
                    Function 00007FFD9B7C29E1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 157 7ffd9b7c29e1-7ffd9b7c2ad0 LoadLibraryA 163 7ffd9b7c2ad8-7ffd9b7c2b31 call 7ffd9b7c2b32 157->163 164 7ffd9b7c2ad2 157->164 164->163
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2974038598.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b7c0000_1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d9.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 6b35aa27acdede669dff3f190cf9911b857f7e7d40f92efbfe933e011f431d7b
                    • Instruction ID: 1e33195c2e03d828141cb2e9d4a2dd6fd945724206c99936ee4de10824d1d480
                    • Opcode Fuzzy Hash: 6b35aa27acdede669dff3f190cf9911b857f7e7d40f92efbfe933e011f431d7b
                    • Instruction Fuzzy Hash: 7D416F30A08A4C8FDB98EF98D855BEDBBF1FF99310F1041AAD04DD7296CA75A841CB41
                    Function 00007FFD9B7C2D3D Relevance: 1.6, APIs: 1, Instructions: 137memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 170 7ffd9b7c2d3d-7ffd9b7c2d49 171 7ffd9b7c2d4b-7ffd9b7c2d53 170->171 172 7ffd9b7c2d54-7ffd9b7c2d63 170->172 171->172 173 7ffd9b7c2d65-7ffd9b7c2d6d 172->173 174 7ffd9b7c2d6e-7ffd9b7c2e29 VirtualProtect 172->174 173->174 179 7ffd9b7c2e2b 174->179 180 7ffd9b7c2e31-7ffd9b7c2e59 174->180 179->180
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2974038598.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b7c0000_1734733987ee1a8345da831d1ecbca38d8a0fdc4854f6779b69f21209db7e0a6d5a2d9.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 08b3801999dfae53085e72140a14998a7029ef44683208a6761c6904f205f2b7
                    • Instruction ID: b677f8c12f63811049efc97597d54d57b2ce11a851bdb16584639cbb0f39c1cb
                    • Opcode Fuzzy Hash: 08b3801999dfae53085e72140a14998a7029ef44683208a6761c6904f205f2b7
                    • Instruction Fuzzy Hash: 3441F73190D7884FDB199BA898566F97BE0EF96321F0442AFD089C32A2CA746406C786