Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583461
MD5:76969acc42256771162be6f285de947c
SHA1:071c5791d9ca1c2382450c6ef09432e12e8b3ca2
SHA256:155854758b79cdee58f7df5c1a4a07d3b19b3d64a0a58b2e8faf6d8b67042f3c
Tags:NETexeMSILnjratuser-jstrosch
Infos:

Detection

DcRat, JasonRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DcRat
Yara detected JasonRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4696 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 76969ACC42256771162BE6F285DE947C)
    • Mxscspd_BelphegorShell.exe (PID: 4084 cmdline: "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe" MD5: 412A8BBC3366FEC40120821A598EA26F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: JasonRAT

{"Server": "127.0.0.1,winner2025me.duckdns.org", "Ports": "7777", "Version": "JASON 2.1.1.0", "Autorun": "false", "Install_Folder": "AppData", "Install_File": "ScJlsrsfsks", "AES_key": "Jason\u2620LetThereBeCarnage", "Mutex": "Jason_CnzagnrahJcsdJcnzns", "AntiDetection": "null", "External_config_on_Pastebin": "false", "Startup_Delay": 1, "Certificate": "MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=", "ServerSignature": "PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=", "Group": "HOME"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJoeSecurity_JasonRATYara detected JasonRATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
      00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
        00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
          00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
            Process Memory Space: file.exe PID: 4696JoeSecurity_JasonRATYara detected JasonRATJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                  0.2.file.exe.39c3d90.1.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                    0.2.file.exe.3995570.2.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                      1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                        Click to see the 4 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Potentially Suspicious Malware Callback Communication
                        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 87.120.113.91, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, Initiated: true, ProcessId: 4084, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, ProcessId: 4084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScJlsrsfsks

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-02T20:14:02.195868+010028424781Malware Command and Control Activity Detected87.120.113.917777192.168.2.549704TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: file.exeAvira: detected
                        Found malware configuration
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackMalware Configuration Extractor: JasonRAT {"Server": "127.0.0.1,winner2025me.duckdns.org", "Ports": "7777", "Version": "JASON 2.1.1.0", "Autorun": "false", "Install_Folder": "AppData", "Install_File": "ScJlsrsfsks", "AES_key": "Jason\u2620LetThereBeCarnage", "Mutex": "Jason_CnzagnrahJcsdJcnzns", "AntiDetection": "null", "External_config_on_Pastebin": "false", "Startup_Delay": 1, "Certificate": "MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=", "ServerSignature": "PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=", "Group": "HOME"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeReversingLabs: Detection: 52%
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 39%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: 7777
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: 127.0.0.1,winner2025me.duckdns.org
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: JASON 2.1.1.0
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: Jason_CnzagnrahJcsdJcnzns
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: null
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: HOME
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 87.120.113.91:7777 -> 192.168.2.5:49704
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: winner2025me.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: winner2025me.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 87.120.113.91:7777
                        Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: winner2025me.duckdns.org
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291327110.000000001D935000.00000004.00000020.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3291032924.000000001D830000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3288869079.0000000001353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en89k
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED

                        System Summary

                        barindex
                        .NET source code contains very large array initializations
                        Source: Mxscspd_BelphegorShell.exe.0.dr, Program.csLarge array initialization: Main: array initializer size 180224
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F561C61_2_00007FF848F561C6
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F593681_2_00007FF848F59368
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F4FBF01_2_00007FF848F4FBF0
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F40D051_2_00007FF848F40D05
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F415D11_2_00007FF848F415D1
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F510A51_2_00007FF848F510A5
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F56F721_2_00007FF848F56F72
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F41A5E1_2_00007FF848F41A5E
                        Source: Mxscspd_BelphegorShell.exe.0.drStatic PE information: No import functions for PE file found
                        Source: file.exe, 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAbezethibou64.exe" vs file.exe
                        Source: file.exe, 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMxscspd_BelphegorShell.exe4 vs file.exe
                        Source: file.exe, 00000000.00000002.2044783649.0000000000C7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                        Source: file.exe, 00000000.00000000.2039897335.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewrapper_jre_offline.exeP vs file.exe
                        Source: file.exeBinary or memory string: OriginalFilenamewrapper_jre_offline.exeP vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: file.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: file.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@3/4@4/2
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMutant created: \Sessions\1\BaseNamedObjects\Jason_CnzagnrahJcsdJcnzns
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJump to behavior
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: file.exeReversingLabs: Detection: 39%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: devenum.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: msdmo.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: Mxscspd_BelphegorShell.exe.0.dr, Program.cs.Net Code: LoadAndExecuteAssemblyInMemory System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E9004B push edx; retf 0_2_04E90072
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E9002C push ebx; retf 0_2_04E9004A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E901A4 push ebx; retf 0_2_04E901BA
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E9026B push 3C00CB50h; retf 0_2_04E90292
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F4755E push ds; iretd 1_2_00007FF848F4755F
                        Source: file.exeStatic PE information: section name: .text entropy: 7.7525499842123144
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED
                        Creates an autostart registry key pointing to binary in C:\Windows
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScJlsrsfsksJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScJlsrsfsksJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScJlsrsfsksJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 4990000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMemory allocated: 1BD70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeWindow / User API: threadDelayed 1606Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeWindow / User API: threadDelayed 8229Jump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6640Thread sleep count: 1606 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6532Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6568Thread sleep count: 8229 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6752Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291579026.000000001DA02000.00000004.00000020.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3288869079.0000000001353000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe" Jump to behavior
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF7000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DEA000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291381905.000000001D953000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF7000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DEA000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291327110.000000001D935000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpeng.exe
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291579026.000000001DA02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DcRat
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected DcRat
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		12
                        Process Injection                        		1
                        Masquerading                        		OS Credential Dumping1
                        Query Registry                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		11
                        Registry Run Keys / Startup Folder                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory121
                        Security Software Discovery                        		Remote Desktop ProtocolData from Removable Media1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAt1
                        DLL Side-Loading                        		11
                        Registry Run Keys / Startup Folder                        		31
                        Virtualization/Sandbox Evasion                        		Security Account Manager2
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        DLL Side-Loading                        		12
                        Process Injection                        		NTDS31
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput Capture21
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                        Obfuscated Files or Information                        		Cached Domain Credentials2
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Software Packing                        		DCSync13
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe39%ReversingLabsWin32.Exploit.Generic
                        file.exe100%AviraHEUR/AGEN.1307423
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe53%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        winner2025me.duckdns.org0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          winner2025me.duckdns.org
                          		87.120.113.91
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            winner2025me.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003E62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              8.8.8.8
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              87.120.113.91
                              		winner2025me.duckdns.orgBulgaria
                              		25206UNACS-AS-BG8000BurgasBGtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1583461
                              Start date and time:2025-01-02 20:13:01 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:5
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@3/4@4/2
                              EGA Information:
                              • Successful, ratio: 50%
                              HCA Information:
                              • Successful, ratio: 94%
                              • Number of executed functions: 45
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded IPs from analysis (whitelisted): 199.232.214.172, 4.175.87.197, 13.107.246.45
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target file.exe, PID 4696 because it is empty
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              14:14:01API Interceptor1x Sleep call for process: Mxscspd_BelphegorShell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              87.120.113.91009274965.lnkGet hashmaliciousDarkVision RatBrowse
                              • 87.120.113.91/image.exe
                              LPO-0048532025.lnkGet hashmaliciousDarkVision RatBrowse
                              • 87.120.113.91/image.exe

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              bg.microsoft.map.fastly.netiviewers.dllGet hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                              • 199.232.214.172
                              wrcaf.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                              • 199.232.210.172
                              iubn.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                              • 199.232.210.172
                              rwvg1.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                              • 199.232.210.172
                              ersyb.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                              • 199.232.214.172
                              Hornswoggle.exeGet hashmaliciousGuLoaderBrowse
                              • 199.232.214.172
                              8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                              • 199.232.210.172
                              5fr5gthkjdg71.exeGet hashmaliciousQuasar, R77 RootKitBrowse
                              • 199.232.214.172
                              dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                              • 199.232.210.172

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              UNACS-AS-BG8000BurgasBG009274965.lnkGet hashmaliciousDarkVision RatBrowse
                              • 87.120.113.91
                              hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                              • 87.120.115.216
                              rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.spc.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.sh4.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.arm5.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.x86.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.ppc.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.arm6.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.m68.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe
                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                              Category:dropped
                              Size (bytes):71954
                              Entropy (8bit):7.996617769952133
                              Encrypted:true
                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):328
                              Entropy (8bit):3.253995428229512
                              Encrypted:false
                              SSDEEP:6:kKz9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:iDImsLNkPlE99SNxAhUe/3
                              MD5:1AA3272D53B554F8EB4E3186C994B69D
                              SHA1:B361BB9EAC9B65949B50F176E97FF1461EB480A9
                              SHA-256:9008EA54347D7A5DB2E0E113F9F33A34035A0CF7D954D50E03C5BA4496E0CE22
                              SHA-512:964D5E2222E2DA9734D61F0BEB31DABB9E40D84AAAF5F86A8D25191068E446741539408F18D5F9763A012F28A1F30A0EF607663AB2E3B01A0595C12A42976B18
                              Malicious:false
                              Reputation:low
                              Preview:p...... ..........y{J]..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\file.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):226
                              Entropy (8bit):5.360398796477698
                              Encrypted:false
                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                              MD5:3A8957C6382192B71471BD14359D0B12
                              SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                              SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                              SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                              C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe

                              Download File
                              Process:C:\Users\user\Desktop\file.exe
                              File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):190464
                              Entropy (8bit):5.655415027243687
                              Encrypted:false
                              SSDEEP:3072:vXpgDh/4L28y4UBQ9bwD9wb651a0UlDRvznBf+gk:Vry4UBQ9bX651aXxR+
                              MD5:412A8BBC3366FEC40120821A598EA26F
                              SHA1:171CC5CF93880517BA70B59C3A26FC9B249BC02D
                              SHA-256:D918B089C7CCE51352C6BCB6C3851FBF420884221BB30254179C55C42929F466
                              SHA-512:2890B21770E6C8FD432AEC2193462C19229AD9AE9E2E873784720FB40A46FFD927B58258D76D4FA38B3825A76CD2DD24F2179730783AC3FE6DA24BCBEAAF8047
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, Author: Joe Security
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 53%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...hdng.........."...................... .....@..... ....................... ............@...@......@............... ............................................................................................................................... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..BH...............................................................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...v.o..........."...0.................. .....@..... ....................................@...@......@............... ............................................................................................................................... ..H............text...4.... ..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.638702692097853
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:file.exe
                              File size:286'720 bytes
                              MD5:76969acc42256771162be6f285de947c
                              SHA1:071c5791d9ca1c2382450c6ef09432e12e8b3ca2
                              SHA256:155854758b79cdee58f7df5c1a4a07d3b19b3d64a0a58b2e8faf6d8b67042f3c
                              SHA512:c6a687236323e2ea70c89f3ad38a80d8be179ebf281ff2b5b39db9f9a3ecab67eb9ec8237df82464566d0c7fa952e5d9dfa171b61a7f1b3abeb4897f54769f52
                              SSDEEP:6144:U5nFOwQLKFIkwMs+OZBH/5kA5wJEGrNTxhd:UJFOZKFIk2ZBf5kA+JE6h
                              TLSH:7154E07EF245AE91C65D8A7384D7E83613B5DCAE8593E34E30E8353105B33EA0046E9B
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.vg................................. ........@.. ....................................@................................

                              File Icon

                              Icon Hash:d08c8e8ea2868a54

                              Static PE Info

                              General

                              Entrypoint:0x43fc8b
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x67760267 [Thu Jan 2 03:05:11 2025 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3fc410x4a.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x7d18.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x3dc910x3de00be00ba236e84578e223b1173c30b8f09False0.7859296085858586data7.7525499842123144IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x400000x7d180x7e00918509519b072686227a93f0492951a9False0.34759424603174605data5.884923281729306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x480000xc0x2007fbb61b20dd594194e8c38485aabe777False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x400c40x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.21890243902439024
                              RT_ICON0x407500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.3400537634408602
                              RT_ICON0x40a5c0x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.35450819672131145
                              RT_ICON0x40c680x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.46283783783783783
                              RT_ICON0x40db40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.5026652452025586
                              RT_ICON0x41c800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.5798736462093863
                              RT_ICON0x4254c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.40264976958525345
                              RT_ICON0x42c380x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.3273121387283237
                              RT_ICON0x431c40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.27344398340248965
                              RT_ICON0x457900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.37875234521575984
                              RT_ICON0x4685c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.37868852459016394
                              RT_ICON0x472080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.4796099290780142
                              RT_GROUP_ICON0x476ac0xaedataEnglishUnited States0.5977011494252874
                              RT_VERSION0x477960x35cdataEnglishUnited States0.4755813953488372
                              RT_MANIFEST0x47b2e0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5469387755102041

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2025-01-02T20:14:02.195868+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)187.120.113.917777192.168.2.549704TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 2, 2025 20:14:01.379029036 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:01.383846045 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:01.383945942 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:01.400010109 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:01.404804945 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.185301065 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.191057920 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:02.195868015 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.367734909 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.419197083 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:03.551254034 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:03.556164980 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:03.556217909 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:03.560991049 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:14.959703922 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:14.964713097 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:14.964814901 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:14.969571114 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:15.263408899 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:15.309828043 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:15.394859076 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:15.434983969 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.358086109 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.362925053 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.363883972 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.368664980 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.675950050 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.716252089 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.799747944 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.841099024 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:37.763591051 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:37.768320084 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:37.768379927 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:37.773216963 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:38.096590042 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:38.153585911 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:38.221914053 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:38.262952089 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.169670105 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.174635887 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.174743891 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.179577112 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.479302883 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.528523922 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.612181902 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.669166088 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:00.575818062 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:00.580912113 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:00.581012011 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:00.585863113 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:00.900336027 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:00.950438023 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:01.034948111 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:01.075571060 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:11.997792959 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:12.002756119 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.002859116 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:12.007597923 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.309508085 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.356694937 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:12.441042900 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.497256041 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.388670921 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.393526077 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.393623114 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.398469925 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.708152056 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.762868881 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.831518888 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.872361898 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:34.794539928 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:34.799428940 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:34.799490929 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:34.804239035 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:35.106250048 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:35.153528929 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:35.238431931 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:35.294157982 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.241620064 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.246479988 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.246546984 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.251359940 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.540797949 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.590958118 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.661737919 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.716011047 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:57.653762102 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:57.658647060 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:57.658714056 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:57.663446903 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:57.967681885 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:58.012890100 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:58.098320961 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:58.153625011 CET497047777192.168.2.587.120.113.91

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 2, 2025 20:13:57.254897118 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:13:58.247528076 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:13:59.263191938 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:14:01.263308048 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:14:01.373661041 CET53567381.1.1.1192.168.2.5
                              Jan 2, 2025 20:14:01.373677969 CET53567381.1.1.1192.168.2.5
                              Jan 2, 2025 20:14:01.373686075 CET53567381.1.1.1192.168.2.5
                              Jan 2, 2025 20:14:01.373693943 CET53567381.1.1.1192.168.2.5

                              ICMP Packets

                              TimestampSource IPDest IPChecksumCodeType
                              Jan 2, 2025 20:13:55.197978020 CET192.168.2.58.8.8.84d5aEcho
                              Jan 2, 2025 20:13:55.204114914 CET8.8.8.8192.168.2.5555aEcho Reply

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jan 2, 2025 20:13:57.254897118 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 2, 2025 20:13:58.247528076 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 2, 2025 20:13:59.263191938 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.263308048 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jan 2, 2025 20:14:01.373661041 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.373677969 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.373686075 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.373693943 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:02.459532022 CET1.1.1.1192.168.2.50x9af0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:02.459532022 CET1.1.1.1192.168.2.50x9af0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:14:13:51
                              Start date:02/01/2025
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x6a0000
                              File size:286'720 bytes
                              MD5 hash:76969ACC42256771162BE6F285DE947C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:14:13:51
                              Start date:02/01/2025
                              Path:C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe"
                              Imagebase:0xa10000
                              File size:190'464 bytes
                              MD5 hash:412A8BBC3366FEC40120821A598EA26F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 53%, ReversingLabs
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 029408FC Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: paq$$]q
                                • API String ID: 0-2770606447
                                • Opcode ID: f2ae4421a6d7798b4c4bd8ab0bf80c883d48389ec70e524a9a0bc178fcbf15b9
                                • Instruction ID: 92b0db09738e8aa2f9ecc5ef79a9f1c7254c19dd575e6997068aa4deeda69ea9
                                • Opcode Fuzzy Hash: f2ae4421a6d7798b4c4bd8ab0bf80c883d48389ec70e524a9a0bc178fcbf15b9
                                • Instruction Fuzzy Hash: D271F43A640104EFCB09DFA8C948D59BBB2FF4D314B168198E6059F276CB32EC65EB40
                                Function 0294140D Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: }$bq
                                • API String ID: 0-2386963243
                                • Opcode ID: 2a10687c26c1b4a24f14e45a2b1cb77d3fe816cc24cd66ac1cc84ee292d1ad42
                                • Instruction ID: 00a13ed6c3ef1c936e1c10029da21fde5f48e65778a6715d6c5a22aa850ae661
                                • Opcode Fuzzy Hash: 2a10687c26c1b4a24f14e45a2b1cb77d3fe816cc24cd66ac1cc84ee292d1ad42
                                • Instruction Fuzzy Hash: 9B512A74E1420AEFCB05DFA8D980EEDBBB5AF48340F50496AD41BAB254EB309985CF51
                                Function 02941B43 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3$_
                                • API String ID: 0-3545247512
                                • Opcode ID: 0630eb6480f6035f16c224413fbf8edb67751f83b4010d0703f37c44fee7552f
                                • Instruction ID: 5241a875baba8822d20eb713cd43e314834d6ec123f3758af16e6682f90dfdab
                                • Opcode Fuzzy Hash: 0630eb6480f6035f16c224413fbf8edb67751f83b4010d0703f37c44fee7552f
                                • Instruction Fuzzy Hash: EF4181347005188FC708DFA9D9A9E6D7BE6FFC8B15B2444A9E40AC7361DF349D429B40
                                Function 02942D22 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: 6eb49ab9d7e489c5f1aed43c4e0711ec300b24c2ab37511ff3628d1fb54c195e
                                • Instruction ID: ba2d3573eb926050120e2ebc018f6a70af160fbad81d4ff5e664932ca849310d
                                • Opcode Fuzzy Hash: 6eb49ab9d7e489c5f1aed43c4e0711ec300b24c2ab37511ff3628d1fb54c195e
                                • Instruction Fuzzy Hash: 33416E34E042099FCB04DFA9D9849DEBBB1FF84314F208AA6E811EB355DB34AA45CB51
                                Function 029444DF Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8aq
                                • API String ID: 0-538729646
                                • Opcode ID: ea5b7a3a537e50dd839064d5d1fe2c7cb8a6e8fa19fcb8cdc15a1349c2297672
                                • Instruction ID: cc72a4881b3a10c76099700289f18d08f3c0e4e1ae29271df9d70cde57ff67d9
                                • Opcode Fuzzy Hash: ea5b7a3a537e50dd839064d5d1fe2c7cb8a6e8fa19fcb8cdc15a1349c2297672
                                • Instruction Fuzzy Hash: 1821C124B0C145DFCF04EB68DD51F7A7BA6EBC921471098AAD4079B386CE219D06CBA2
                                Function 029444F8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8aq
                                • API String ID: 0-538729646
                                • Opcode ID: 591f02bb9aad53ea3b65c38752946312fe46f682b04343ec8cc7d8230a257a19
                                • Instruction ID: 048a7dab96d0f01ac09f877cb593c90272b6bc23f395ea675d649865155e987b
                                • Opcode Fuzzy Hash: 591f02bb9aad53ea3b65c38752946312fe46f682b04343ec8cc7d8230a257a19
                                • Instruction Fuzzy Hash: B1216034B0C015DB8F44EA59D951F7AB7A6EBC8254B10986AD4079B385CE32AD06CBE2
                                Function 029413B6 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: }
                                • API String ID: 0-4239843852
                                • Opcode ID: e193a2dfe4da2662c0c3566f35e0e8a856ba7f0938e7ba911ac1cefe8b6f256f
                                • Instruction ID: 62d6137efa458f4662bf2e6832815dbd46ff18f7d2e702f9563cf1377fd2e76c
                                • Opcode Fuzzy Hash: e193a2dfe4da2662c0c3566f35e0e8a856ba7f0938e7ba911ac1cefe8b6f256f
                                • Instruction Fuzzy Hash: 7EE0862080E388DFC70387609C626557F389A03214B2500C3E449CB4A3C9251D0ECB62
                                Function 02941A09 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: V
                                • API String ID: 0-1342839628
                                • Opcode ID: 094e0f1f835c9781664af5d6456457db357005b12e093d16a93ec202005a3968
                                • Instruction ID: c020b64932a2aa6837b706a9b35379026472f4161582218f61eac1361939cde9
                                • Opcode Fuzzy Hash: 094e0f1f835c9781664af5d6456457db357005b12e093d16a93ec202005a3968
                                • Instruction Fuzzy Hash: 09D0A7B1C4E1449FC700CAA4E982AED7B759B55240B1542CBC44F47643DD250D4B9F61
                                Function 02941A18 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: V
                                • API String ID: 0-1342839628
                                • Opcode ID: 64e70103f1be6647c28f6623d03347c2a8d6835967b2da7c26f5fac46c0318cd
                                • Instruction ID: f661d9fe8941aaa192699ae846000f3f18285a74238f2a270b3503e8a7b9281c
                                • Opcode Fuzzy Hash: 64e70103f1be6647c28f6623d03347c2a8d6835967b2da7c26f5fac46c0318cd
                                • Instruction Fuzzy Hash: E3C08C2040820CE7C700DAC6EA01EAEB3AC9740200F004587880E03300CE321E849AA2
                                Function 029413D8 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: }
                                • API String ID: 0-4239843852
                                • Opcode ID: d30a6919b082e526c8854762fc34f8d65e97a8c48aa5b7e3d5c645c0ef21600b
                                • Instruction ID: fe15a2c4c1d9a228eb65fbd3139e43c9820b978397ac7622919612325c7b1c06
                                • Opcode Fuzzy Hash: d30a6919b082e526c8854762fc34f8d65e97a8c48aa5b7e3d5c645c0ef21600b
                                • Instruction Fuzzy Hash: 7DC0123080830CEBCA40DBD1E94AA6CB7BCAB40208F000186A80E83A40CA312E00EB81
                                Function 02941B30 Relevance: .3, Instructions: 317COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 91cc01f5341597efb7faa474ef3634d12b8c32102b1da41f73da26422eff2110
                                • Instruction ID: 768376743ee91155c56802d8689a40eb3b857584d858a5779df84408b8f7a899
                                • Opcode Fuzzy Hash: 91cc01f5341597efb7faa474ef3634d12b8c32102b1da41f73da26422eff2110
                                • Instruction Fuzzy Hash: F2C16130B006098FCB049FA9C955A9DBBF2FF88714F248569E40ADB3A5DF749D86DB40
                                Function 02942A2B Relevance: .2, Instructions: 188COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b2a9c57832a8eb6f49797298099ace970f60601b0167d1fcb116e42cb7cc53c
                                • Instruction ID: 861f02acd391d1a7e6349ea060afc15efdd529bc1701ada94d3689109bb6d704
                                • Opcode Fuzzy Hash: 6b2a9c57832a8eb6f49797298099ace970f60601b0167d1fcb116e42cb7cc53c
                                • Instruction Fuzzy Hash: 6C717570E04B018FD725DF25C490A1ABBF2BF98310B14CA6DD89A87755DB74E986CF90
                                Function 029421E0 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83a11bf4b53c664cdc0d8a4acc81c2297c60e3cdc53c0896b4b2f4b6a9b85b0b
                                • Instruction ID: e8aaf4b63346fe4bc9110538c374ea8488ed7ce01c2cb5daf05403c7853bd2bf
                                • Opcode Fuzzy Hash: 83a11bf4b53c664cdc0d8a4acc81c2297c60e3cdc53c0896b4b2f4b6a9b85b0b
                                • Instruction Fuzzy Hash: 8151BE31E0C615DFCB288F55D884D6EBBB5FB846587048D2AFC5B97610CF30A845CBA6
                                Function 02943D08 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f24467618d4da0f0f4146500004b4fd392b293c083169230a27f9d8be664760
                                • Instruction ID: b6a30677f27f0919f59c096a2db5be49ba35c9095ed55d313ce2d759d1a16abb
                                • Opcode Fuzzy Hash: 3f24467618d4da0f0f4146500004b4fd392b293c083169230a27f9d8be664760
                                • Instruction Fuzzy Hash: 5E515435609506EFC714DF35D484E1AF7B2BF9431073586AAD40A8BA41DB31F892CF84
                                Function 02940757 Relevance: .1, Instructions: 106COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f9cabbd14244e3bf4cd17964dddff89a789d2828f5f02926e9ade7a27dcf3995
                                • Instruction ID: f25e8f9d5aaf4d01714b8a9d1872976390b0538221888058ef679de1ec809862
                                • Opcode Fuzzy Hash: f9cabbd14244e3bf4cd17964dddff89a789d2828f5f02926e9ade7a27dcf3995
                                • Instruction Fuzzy Hash: 31314A6280E3E55EC706AB7C9A728D87FB09D47254B0604E7C184CF177D828894EC7AA
                                Function 029411A1 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 61aadaebe95839676c9e9bbbb63ab521a69ec2ad4fadf4f0e263ee06f029125d
                                • Instruction ID: 7921d511eba95e951a10b1fd48fe8200b86f84fd60b98d7fc211bc9bcc728b52
                                • Opcode Fuzzy Hash: 61aadaebe95839676c9e9bbbb63ab521a69ec2ad4fadf4f0e263ee06f029125d
                                • Instruction Fuzzy Hash: A2413A34A041098FDB54DFA8C991BADBBB1EF89304F20819AD819DB396DB319942CF40
                                Function 02944381 Relevance: .1, Instructions: 83COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de22a01a151f3bc8d6147dc562953c7add926b7d23860da070e435f95308eecb
                                • Instruction ID: 86de39dcb8111b2cf4cd5d19a617bf5d9786b35c5fafa4f1ad1a6cfdd866ce0a
                                • Opcode Fuzzy Hash: de22a01a151f3bc8d6147dc562953c7add926b7d23860da070e435f95308eecb
                                • Instruction Fuzzy Hash: 7731CD787041009FD748DB5DD9A1A66B3E6EBC9314B24C46E9819CB396CE76ED03DB80
                                Function 02942098 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b08cc99ee004bfdc5b6959c121d25eceda0280db933f960bea77663e6fb28de6
                                • Instruction ID: 73a59824bff2866ab1cc727293712b26b14b267d7a4d4fb3e0e9d3fae4e2cd6a
                                • Opcode Fuzzy Hash: b08cc99ee004bfdc5b6959c121d25eceda0280db933f960bea77663e6fb28de6
                                • Instruction Fuzzy Hash: D1116D70E48104DBD7188B5AC424E7EBBEABB4C244F154856FE03E7299CEB1AD00CB62
                                Function 02942088 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ff49305f0d289b6afa22d929a9dccb049dfe8e9ca1b6bf8858931dd87b11736a
                                • Instruction ID: eefebd205b4e2a82f001b578f9f3fe31f98f71c6334370392461e9440a52bae0
                                • Opcode Fuzzy Hash: ff49305f0d289b6afa22d929a9dccb049dfe8e9ca1b6bf8858931dd87b11736a
                                • Instruction Fuzzy Hash: FF110A30E5C108DBD7188B658864EBE7BE6BB4C340F10085AFD03E7645CF616906CB65
                                Function 029410E7 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d557031d52ae66bfeb2087aff31ce7fc502cc14610b9c41706d61b5bfef505e5
                                • Instruction ID: ae89ec4c77b39d651df19a1026831599b2863acf3bf2e2eb019a7f6ec1461bbe
                                • Opcode Fuzzy Hash: d557031d52ae66bfeb2087aff31ce7fc502cc14610b9c41706d61b5bfef505e5
                                • Instruction Fuzzy Hash: 12213B74A04209EFCB14DF6DEA91A99B7F2FB8C304F10846AD4099B358DB31AD85DF40
                                Function 02941083 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e03b1d96c4df6b079e9dc6286d5191ee1e3604133bddd1b6d538483f1979ebbf
                                • Instruction ID: 8f522e86e7a26517e5f21f4bae61bddb2473dd3d698079c01c53373b14e77e78
                                • Opcode Fuzzy Hash: e03b1d96c4df6b079e9dc6286d5191ee1e3604133bddd1b6d538483f1979ebbf
                                • Instruction Fuzzy Hash: F8014F78905208EFCB44DF5DFA92A99BBF1EB8D304B10846AE40DD7324DB31A841DF40
                                Function 0294215F Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbd813e2f4d5cfebeb9fa2b1790079e82de7c0a6102f36f441213ab63b82af2c
                                • Instruction ID: 05fc61fd1902b4aea1d7f671651249a9df80bafc724c513d887059d598c59a06
                                • Opcode Fuzzy Hash: cbd813e2f4d5cfebeb9fa2b1790079e82de7c0a6102f36f441213ab63b82af2c
                                • Instruction Fuzzy Hash: 83F02B311087005FC308AF65EDD1BCABB95FF84304B40897CD1498B66BCB74A90E8F90
                                Function 02942DB0 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eca6e1816d14c43a46675deb2b626dc695d31a6569c54d2c53051f82af808771
                                • Instruction ID: bba910c96c449d7844ddeea49ddd6f67e82d2697ff24a50aa3f378e51bbdab3b
                                • Opcode Fuzzy Hash: eca6e1816d14c43a46675deb2b626dc695d31a6569c54d2c53051f82af808771
                                • Instruction Fuzzy Hash: D1F0F631A0D3C58FC3079778945058CFF71AF92320B1982E7E064CB2E3DA249C8AC366
                                Function 02942D65 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 96f146fff094c904930401f3c017059194d514d2d987b20e2c1f18b625f7f576
                                • Instruction ID: 90c4f7f7475eee5f380434e791a92f48ffd269726c865ef1f6993922f2a46e72
                                • Opcode Fuzzy Hash: 96f146fff094c904930401f3c017059194d514d2d987b20e2c1f18b625f7f576
                                • Instruction Fuzzy Hash: 03F0B421A0D3858FC7029778E85498DFFB1AF96320B1986E3E4558B2D6CB249C86C766
                                Function 02942614 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: df8dd7c5e7bc416a7af8adaab331384b14a63342dab361913271c4bfdee1d1d0
                                • Instruction ID: b08d30e64af4b9a1e6fa26fe85e7cd70c9c8b6b4254a02bba6cbe7fe63bfadab
                                • Opcode Fuzzy Hash: df8dd7c5e7bc416a7af8adaab331384b14a63342dab361913271c4bfdee1d1d0
                                • Instruction Fuzzy Hash: B0F0BE31608A4B8FC7259B24ED55E5A7BA0AF40219B000B79D45ACF4A2EF28B989C780
                                Function 02940FE8 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72e19dd70d2ea26cc82d3d39e59e4063e4d50d122543398445fed062df92e9ca
                                • Instruction ID: 13cffbe492a9d6bf2854e7f08c89e62b2548990fc218ef80b0c53fb9c98f8522
                                • Opcode Fuzzy Hash: 72e19dd70d2ea26cc82d3d39e59e4063e4d50d122543398445fed062df92e9ca
                                • Instruction Fuzzy Hash: 24E0CD2018D0D09B461D63707526D7DBF615E8238930905FFE44FB7562CE1529C1DF97
                                Function 02940848 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 36a32173e0b0d6102e405d46d43dc825ba9d1e6af98a515cb65043ce3f472d04
                                • Instruction ID: 916513d20eb85cb7c716d8691a7ef4fa6fe225e459e4640de631ac8a89d9e629
                                • Opcode Fuzzy Hash: 36a32173e0b0d6102e405d46d43dc825ba9d1e6af98a515cb65043ce3f472d04
                                • Instruction Fuzzy Hash: 16E0E5B0D0420CEFCB44DFA8860199CBFF4AB48340F1089AA8509E7310EA359A40DB91
                                Function 02940FF3 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db8c1bdf0842a0edb6796abadf9f7d67c157a99a830550cc7d64c99b32c768c6
                                • Instruction ID: b0f527767ad8a45116ab6b019c8265a6510f8c555386821ce1a43e2639ddfb9a
                                • Opcode Fuzzy Hash: db8c1bdf0842a0edb6796abadf9f7d67c157a99a830550cc7d64c99b32c768c6
                                • Instruction Fuzzy Hash: 4ED05B2024D094DB861963607916DBD7F648D81299305097AF00FF7952CE563DC6EB97
                                Function 02942FC7 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6428d72aee56065d657f39116576180e19c51ccb2abb6a5795366aa4edd4993c
                                • Instruction ID: 6c03872e4084016ce695eaaa8fa49ebaea48a2600caa9668a2f28c644aeeb40b
                                • Opcode Fuzzy Hash: 6428d72aee56065d657f39116576180e19c51ccb2abb6a5795366aa4edd4993c
                                • Instruction Fuzzy Hash: 6EE0CD10A0D1944BCB07677878129EEBF32DB9632074406F6F012AA187CE281846C7D6
                                Function 02941027 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7ac1f77a6432426d3167e766aa402d0504a9865b14c7bd4497d60f3530da4db
                                • Instruction ID: 7f45499a27d09bbb7bad3d09bb74d55207e343fa2d134ecc21957d6e1d6430a1
                                • Opcode Fuzzy Hash: c7ac1f77a6432426d3167e766aa402d0504a9865b14c7bd4497d60f3530da4db
                                • Instruction Fuzzy Hash: 7BE0C2380081000FD3028B14E8A2AC1B7B4DF41220714828AC8D98BAD7CA29990B8F40
                                Function 02940FF8 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 099a90a33f45f002126f4d52771d7e7b96f547c4363f1b7ba90c9cb183f7b7b6
                                • Instruction ID: 757421148f68e5fcb8fcf184a484280c6182b8cb3184bff3b80e5682b8ed976b
                                • Opcode Fuzzy Hash: 099a90a33f45f002126f4d52771d7e7b96f547c4363f1b7ba90c9cb183f7b7b6
                                • Instruction Fuzzy Hash: 15D0A72024C094D7010C23503916D7D7B648E8269A3040876E10FF7511CE1A3DC0E7DB
                                Function 029410FF Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e9d5ccd41012365e2f611d55c8799a37567fa704f6d51b6b66116257a7ee038
                                • Instruction ID: 7a10ccb3f9a597219027520861dd1395b6bcec7a4bd95ea6dddb5e526f38bbca
                                • Opcode Fuzzy Hash: 4e9d5ccd41012365e2f611d55c8799a37567fa704f6d51b6b66116257a7ee038
                                • Instruction Fuzzy Hash: 4DE01A78A04109DFCB15DFA8DA80E9DB7B1FB4C304F10846AD4099B349DB31AD42CF90
                                Function 02942F83 Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5276fe425e2642c66ed5e1faa806fb10c2a69891d959dfc7c2aa376ed230ec4a
                                • Instruction ID: 258ae8103aadae2bdf39cb5cb03576960588a070b7bc303809a1836a9e17e7d8
                                • Opcode Fuzzy Hash: 5276fe425e2642c66ed5e1faa806fb10c2a69891d959dfc7c2aa376ed230ec4a
                                • Instruction Fuzzy Hash: 53C02222B0C49103C309525D78211CAE702CBD122070440BAE008872DACE645C0383C9
                                Function 029444CD Relevance: .0, Instructions: 5COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2046640611.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2940000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 89fe23ee10a1cdec20f52a9c703bc6f492835c70b806ca7fd8912eb88621a1e4
                                • Instruction ID: ea8a65bd3ba5631dad5a0610088dad23dbd27f96bbbec4463bba62ada2614da2
                                • Opcode Fuzzy Hash: 89fe23ee10a1cdec20f52a9c703bc6f492835c70b806ca7fd8912eb88621a1e4
                                • Instruction Fuzzy Hash: 01A011223008008F0A0802202308A3820C302C888832A08208003C3200EE308802AB00

                                Execution Graph

                                Execution Coverage:9.8%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:9
                                Total number of Limit Nodes:0
                                execution_graph 17798 7ff848f4f4e5 17799 7ff848f4f4ff 17798->17799 17802 7ff848f4ec38 17799->17802 17801 7ff848f4f54b 17803 7ff848f4ec41 SetWindowsHookExW 17802->17803 17805 7ff848f4f771 17803->17805 17805->17801 17794 7ff848f4a9a6 17795 7ff848f4a9b5 VirtualProtect 17794->17795 17797 7ff848f4aa92 17795->17797

                                Executed Functions

                                Function 00007FF848F415D1 Relevance: 4.7, Strings: 2, Instructions: 2171COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0jH$KAL_^
                                • API String ID: 0-3791694833
                                • Opcode ID: 70d949f8ef139fade9cab59bc399c35b15965f25c1c34a0817c30e28d734724a
                                • Instruction ID: 6d2efcacad62b39b0b175be87d47a8d44d5a056ed2679b6c325820b1d98d405b
                                • Opcode Fuzzy Hash: 70d949f8ef139fade9cab59bc399c35b15965f25c1c34a0817c30e28d734724a
                                • Instruction Fuzzy Hash: 3AE2F131E1D95B5FEB98F76880552B922D2FFA8B84FA4417AD40DD32C7DF3CA8428245
                                Function 00007FF848F41A5E Relevance: 2.4, Strings: 1, Instructions: 1176COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID: KAL_^
                                • API String ID: 0-2336278666
                                • Opcode ID: 8a47c3c962263ec6153d032040baf47a215781f73cc568d0552f3656797f9f7f
                                • Instruction ID: fb969472f7b68221dfa4fbab784c0a60261385373f314e5e697b187d0df8196b
                                • Opcode Fuzzy Hash: 8a47c3c962263ec6153d032040baf47a215781f73cc568d0552f3656797f9f7f
                                • Instruction Fuzzy Hash: D872D131F1D95B4FEB99F72880552B922D2EFA8B84FA4417AD40DD32C7DF3DA8428245
                                Function 00007FF848F4FBF0 Relevance: 2.2, Strings: 1, Instructions: 911COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1321 7ff848f4fbf0-7ff848f4fc11 1326 7ff848f4fc12-7ff848f4fc21 1321->1326 1329 7ff848f4fc23-7ff848f4fc3e 1326->1329 1333 7ff848f4fc9c-7ff848f4fca2 1329->1333 1334 7ff848f4fc40-7ff848f4fc5b 1329->1334 1337 7ff848f4fca4-7ff848f4fcee 1333->1337 1338 7ff848f4fcd5-7ff848f4fcee 1333->1338 1334->1333 1343 7ff848f4fcf5-7ff848f4fdde 1337->1343 1338->1343 1360 7ff848f4fe3c-7ff848f4fe44 1343->1360 1361 7ff848f4fde0-7ff848f4fe0f 1343->1361 1365 7ff848f4fe4e-7ff848f4fe76 1360->1365 1362 7ff848f4fe11-7ff848f4fe37 1361->1362 1362->1360 1367 7ff848f4fe78-7ff848f4fe95 1365->1367 1368 7ff848f4fec2-7ff848f4fee9 call 7ff848f44480 call 7ff848f40340 1365->1368 1372 7ff848f4fe9b-7ff848f4fec0 1367->1372 1373 7ff848f50676-7ff848f5067e 1367->1373 1384 7ff848f4feef-7ff848f4ff94 1368->1384 1385 7ff848f50132-7ff848f50173 call 7ff848f4faa0 1368->1385 1372->1368 1377 7ff848f5067f-7ff848f50692 1373->1377 1414 7ff848f5009d 1384->1414 1415 7ff848f4ff9a-7ff848f50047 1384->1415 1393 7ff848f50188-7ff848f50191 1385->1393 1394 7ff848f50175-7ff848f50186 1385->1394 1397 7ff848f50199-7ff848f501b5 1393->1397 1394->1397 1403 7ff848f501ca-7ff848f501cf 1397->1403 1404 7ff848f501b7-7ff848f501c8 1397->1404 1407 7ff848f501d6-7ff848f5023c call 7ff848f4fab0 call 7ff848f4fac0 1403->1407 1404->1407 1429 7ff848f50242-7ff848f5028e 1407->1429 1430 7ff848f502c3 1407->1430 1418 7ff848f500a2-7ff848f500cb 1414->1418 1415->1414 1462 7ff848f50049-7ff848f50054 1415->1462 1436 7ff848f500cd-7ff848f500d9 1418->1436 1437 7ff848f50058-7ff848f50066 1418->1437 1429->1430 1461 7ff848f50290-7ff848f502bc 1429->1461 1434 7ff848f502c8-7ff848f502f0 1430->1434 1465 7ff848f502f2-7ff848f50309 call 7ff848f506c3 1434->1465 1442 7ff848f500e1-7ff848f500f2 1436->1442 1445 7ff848f5006c-7ff848f5006d 1437->1445 1446 7ff848f50116-7ff848f5012d 1437->1446 1452 7ff848f500f9-7ff848f5010b 1442->1452 1453 7ff848f500f4 1442->1453 1451 7ff848f50075-7ff848f50086 1445->1451 1456 7ff848f5030a-7ff848f5031b 1446->1456 1455 7ff848f5008c-7ff848f5009b 1451->1455 1451->1456 1452->1455 1458 7ff848f50111 1452->1458 1453->1456 1455->1436 1456->1377 1466 7ff848f50321-7ff848f5035b call 7ff848f4fad0 1456->1466 1458->1456 1461->1434 1470 7ff848f502be-7ff848f502c1 1461->1470 1462->1418 1464 7ff848f50056 1462->1464 1464->1437 1465->1456 1475 7ff848f5035d-7ff848f50397 1466->1475 1476 7ff848f5039e-7ff848f50429 call 7ff848f4fae0 1466->1476 1470->1465 1475->1476 1476->1414 1489 7ff848f5042f-7ff848f50449 1476->1489 1490 7ff848f5044f-7ff848f50476 1489->1490 1492 7ff848f5047d-7ff848f50490 call 7ff848f4ee60 call 7ff848f40cf0 1490->1492 1496 7ff848f50495-7ff848f504b1 1492->1496 1498 7ff848f504d3-7ff848f5053a 1496->1498 1499 7ff848f504b3-7ff848f504d2 1496->1499 1510 7ff848f5053c 1498->1510 1499->1498 1510->1510
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID: [VK_^
                                • API String ID: 0-589375147
                                • Opcode ID: f808292642bb382f9b9ef0d267bbecf4e876066f62071ea10c9ba9d8e8cc88d6
                                • Instruction ID: c517b5d1231d5db752dbce876fdb946bfe64cdc1d2a3575a2a8377eb5ad8dcde
                                • Opcode Fuzzy Hash: f808292642bb382f9b9ef0d267bbecf4e876066f62071ea10c9ba9d8e8cc88d6
                                • Instruction Fuzzy Hash: BA522431E1D94A8FE759FB3884652B9B7E1FFA5794F1401BAC40EC72C3DE28A8468345
                                Function 00007FF848F40D05 Relevance: 2.0, Instructions: 2028COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de79a6ec4e66cabdefd428b606a31d32987e8698e9028f5b1c86066969df4502
                                • Instruction ID: a370142694831a35b86f3d5f5d936fadb382d252a67a1759438015c9e67b3193
                                • Opcode Fuzzy Hash: de79a6ec4e66cabdefd428b606a31d32987e8698e9028f5b1c86066969df4502
                                • Instruction Fuzzy Hash: F4D28131F2D91A4FEB89FB28805567972E2FFA8784F5441B9D00ED32D7DF29A8428744
                                Function 00007FF848F510A5 Relevance: 1.8, Instructions: 1815COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2422 7ff848f510a5-7ff848f5114b 2429 7ff848f5114d-7ff848f5116a 2422->2429 2430 7ff848f51197-7ff848f511da call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 2422->2430 2433 7ff848f521bb-7ff848f521c3 2429->2433 2434 7ff848f51170-7ff848f51195 2429->2434 2451 7ff848f511dc-7ff848f511f9 2430->2451 2452 7ff848f51226-7ff848f51270 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 2430->2452 2439 7ff848f521c4-7ff848f521cc 2433->2439 2434->2430 2447 7ff848f521cd-7ff848f521d5 2439->2447 2453 7ff848f521d6-7ff848f521de 2447->2453 2451->2439 2456 7ff848f511ff-7ff848f51224 2451->2456 2474 7ff848f512bc-7ff848f51319 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 2452->2474 2475 7ff848f51272-7ff848f5128f 2452->2475 2459 7ff848f521df-7ff848f521e7 2453->2459 2456->2452 2465 7ff848f521e8-7ff848f521f0 2459->2465 2471 7ff848f521f1-7ff848f521f9 2465->2471 2477 7ff848f521fa-7ff848f52202 2471->2477 2500 7ff848f5131b-7ff848f51338 2474->2500 2501 7ff848f51365-7ff848f513c6 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 2474->2501 2475->2447 2480 7ff848f51295-7ff848f512ba 2475->2480 2483 7ff848f52203-7ff848f5220b 2477->2483 2480->2474 2490 7ff848f5220c-7ff848f52214 2483->2490 2495 7ff848f52215-7ff848f52226 2490->2495 2507 7ff848f52227-7ff848f5222f 2495->2507 2500->2453 2506 7ff848f5133e-7ff848f51363 2500->2506 2527 7ff848f513c8-7ff848f513e5 2501->2527 2528 7ff848f51412-7ff848f51482 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 2501->2528 2506->2501 2513 7ff848f52230-7ff848f52238 2507->2513 2519 7ff848f52239-7ff848f52241 2513->2519 2524 7ff848f52242-7ff848f5224a 2519->2524 2529 7ff848f5224b-7ff848f52253 2524->2529 2527->2459 2532 7ff848f513eb-7ff848f51410 2527->2532 2554 7ff848f51484-7ff848f514a1 2528->2554 2555 7ff848f514d0-7ff848f51537 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 2528->2555 2536 7ff848f52254-7ff848f5225c 2529->2536 2532->2528 2542 7ff848f5225d-7ff848f52265 2536->2542 2548 7ff848f52266-7ff848f5226e 2542->2548 2552 7ff848f5226f-7ff848f52277 2548->2552 2559 7ff848f52278-7ff848f52280 2552->2559 2554->2465 2561 7ff848f514a7-7ff848f514ce 2554->2561 2580 7ff848f51539-7ff848f51556 2555->2580 2581 7ff848f51583-7ff848f515b6 call 7ff848f44480 call 7ff848f40340 2555->2581 2565 7ff848f52281-7ff848f52289 2559->2565 2561->2555 2571 7ff848f5228a-7ff848f52292 2565->2571 2575 7ff848f52293-7ff848f522c6 2571->2575 2585 7ff848f522cd-7ff848f522d0 2575->2585 2586 7ff848f522c8-7ff848f522cb 2575->2586 2580->2471 2592 7ff848f5155c-7ff848f51581 2580->2592 2598 7ff848f515b8-7ff848f515d5 2581->2598 2599 7ff848f51602-7ff848f5164d call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 2581->2599 2590 7ff848f522d7 2585->2590 2591 7ff848f522d2-7ff848f522d5 2585->2591 2586->2585 2588 7ff848f522f8-7ff848f52317 2586->2588 2591->2590 2593 7ff848f522d8-7ff848f522f7 2591->2593 2592->2581 2598->2477 2603 7ff848f515db-7ff848f51600 2598->2603 2615 7ff848f5164f-7ff848f5166c 2599->2615 2616 7ff848f5169b-7ff848f516cb call 7ff848f44480 call 7ff848f40340 2599->2616 2603->2599 2615->2483 2619 7ff848f51672-7ff848f51699 2615->2619 2626 7ff848f516cd-7ff848f516ea 2616->2626 2627 7ff848f51717-7ff848f5177f call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 2616->2627 2619->2616 2626->2490 2631 7ff848f516f0-7ff848f51715 2626->2631 2644 7ff848f517cb-7ff848f51804 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 call 7ff848f50e58 2627->2644 2645 7ff848f51781-7ff848f5179e 2627->2645 2631->2627 2662 7ff848f5180a 2644->2662 2663 7ff848f51806-7ff848f51808 2644->2663 2645->2495 2649 7ff848f517a4-7ff848f517c9 2645->2649 2649->2644 2664 7ff848f5180f-7ff848f51846 2662->2664 2663->2664 2667 7ff848f51848-7ff848f51851 2664->2667 2668 7ff848f51892-7ff848f51903 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 call 7ff848f413f0 call 7ff848f41400 2664->2668 2667->2668 2685 7ff848f5194f-7ff848f519ac call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 2668->2685 2686 7ff848f51905-7ff848f51922 2668->2686 2702 7ff848f519ae-7ff848f519cb 2685->2702 2703 7ff848f519f8-7ff848f51a6c call 7ff848f44480 call 7ff848f40340 call 7ff848f41338 call 7ff848f4cf70 2685->2703 2686->2507 2689 7ff848f51928-7ff848f5194d 2686->2689 2689->2685 2702->2513 2708 7ff848f519d1-7ff848f519f6 2702->2708 2723 7ff848f51a6e-7ff848f51a8b 2703->2723 2724 7ff848f51ab8-7ff848f51ae8 call 7ff848f44480 call 7ff848f40340 2703->2724 2708->2703 2723->2519 2727 7ff848f51a91-7ff848f51ab6 2723->2727 2734 7ff848f51aea-7ff848f51b07 2724->2734 2735 7ff848f51b34-7ff848f51b74 call 7ff848f44480 call 7ff848f40340 2724->2735 2727->2724 2734->2524 2739 7ff848f51b0d-7ff848f51b32 2734->2739 2748 7ff848f51b76-7ff848f51b93 2735->2748 2749 7ff848f51bc0-7ff848f51bf0 call 7ff848f44480 call 7ff848f40340 2735->2749 2739->2735 2748->2529 2752 7ff848f51b99-7ff848f51bbe 2748->2752 2759 7ff848f51c3c-7ff848f51c8e call 7ff848f44480 call 7ff848f40340 2749->2759 2760 7ff848f51bf2-7ff848f51c0f 2749->2760 2752->2749 2774 7ff848f51cda-7ff848f51d37 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 call 7ff848f40c00 2759->2774 2775 7ff848f51c90-7ff848f51cad 2759->2775 2760->2536 2764 7ff848f51c15-7ff848f51c3a 2760->2764 2764->2759 2793 7ff848f51d39-7ff848f51d56 2774->2793 2794 7ff848f51d83-7ff848f51de0 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 2774->2794 2775->2542 2779 7ff848f51cb3-7ff848f51cd8 2775->2779 2779->2774 2793->2548 2799 7ff848f51d5c-7ff848f51d81 2793->2799 2811 7ff848f51e2c-7ff848f51e89 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 call 7ff848f40b88 2794->2811 2812 7ff848f51de2-7ff848f51dff 2794->2812 2799->2794 2830 7ff848f51e8b-7ff848f51ea8 2811->2830 2831 7ff848f51ed5-7ff848f51faf call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 call 7ff848f50918 call 7ff848f50928 call 7ff848f4a1b0 call 7ff848f41338 2811->2831 2812->2552 2815 7ff848f51e05-7ff848f51e2a 2812->2815 2815->2811 2830->2559 2835 7ff848f51eae-7ff848f51ed3 2830->2835 2861 7ff848f51ffb-7ff848f52058 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 2831->2861 2862 7ff848f51fb1-7ff848f51fbc 2831->2862 2835->2831 2880 7ff848f5205a-7ff848f52077 2861->2880 2881 7ff848f520a4-7ff848f52101 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 call 7ff848f40bd8 2861->2881 2866 7ff848f51fbe-7ff848f51fc1 2862->2866 2867 7ff848f51fc3-7ff848f51fce 2862->2867 2866->2867 2867->2565 2868 7ff848f51fd4-7ff848f51ff9 2867->2868 2868->2861 2880->2571 2885 7ff848f5207d-7ff848f520a2 2880->2885 2899 7ff848f5214d-7ff848f521a4 call 7ff848f44480 call 7ff848f40340 call 7ff848f4a1b0 call 7ff848f41338 call 7ff848f40bd0 call 7ff848f41388 2881->2899 2900 7ff848f52103-7ff848f52120 2881->2900 2885->2881 2920 7ff848f521a9-7ff848f521ba 2899->2920 2900->2575 2903 7ff848f52126-7ff848f5214b 2900->2903 2903->2899
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f7025654fdb7980d0bf6032a0159b777a6e38ef8064c7fc92062c757b84dcc4
                                • Instruction ID: 81b9c307978ee2ca0af52a529e5f8f1a60389b8792aec305b161c2bda40e9c3f
                                • Opcode Fuzzy Hash: 3f7025654fdb7980d0bf6032a0159b777a6e38ef8064c7fc92062c757b84dcc4
                                • Instruction Fuzzy Hash: AEC29231F1D94A4FEB89FB28909567966E2FFA8688F944179D40DC32CBDE3CE8424345
                                Function 00007FF848F59368 Relevance: .8, Instructions: 755COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d4a8b6a7c90ceb2a886cd6a8fd5d84c886fef1a9fc19c6f37a927d653d779cb0
                                • Instruction ID: 3daae0b98e3c787d21323c20a745a5c8749fa59831afa2943c8cff77aa96b5b0
                                • Opcode Fuzzy Hash: d4a8b6a7c90ceb2a886cd6a8fd5d84c886fef1a9fc19c6f37a927d653d779cb0
                                • Instruction Fuzzy Hash: 86421231E1D9198FEB99FB2894956B8B7F1EF58785F5000BAD00DD32D2DF39A8818B04
                                Function 00007FF848F561C6 Relevance: .5, Instructions: 471COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fdc2eaf973eef0c282ceabc5ccb72e7991c292f26223bed70616e98878dfa3fc
                                • Instruction ID: 3ce1cf2e2694174df88ba200ee26744578b3a5aef9894b908bc2ef33ec1c8f47
                                • Opcode Fuzzy Hash: fdc2eaf973eef0c282ceabc5ccb72e7991c292f26223bed70616e98878dfa3fc
                                • Instruction Fuzzy Hash: CFF1A33091CA8D8FEBA8EF28C8557E977E1FF54350F04426EE85DC7296DB3899418B81
                                Function 00007FF848F56F72 Relevance: .5, Instructions: 457COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8852e9d42ad1072521a3f79f27bce24989eef2973e3b8863321bfd3048b69ece
                                • Instruction ID: 91d29934b98b4c79d5fd9c70006dc7fe8b188179d82862045c6220d228bb977c
                                • Opcode Fuzzy Hash: 8852e9d42ad1072521a3f79f27bce24989eef2973e3b8863321bfd3048b69ece
                                • Instruction Fuzzy Hash: 9BE1B23090CA4E8FEBA8EF28C8557E977D1FB54350F04426EE84DC7292DF78A9458B85
                                Function 00007FF848F4EC38 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2921 7ff848f4ec38-7ff848f4f71d 2927 7ff848f4f7a9-7ff848f4f7ad 2921->2927 2928 7ff848f4f723-7ff848f4f728 2921->2928 2929 7ff848f4f732-7ff848f4f76f SetWindowsHookExW 2927->2929 2930 7ff848f4f72f-7ff848f4f730 2928->2930 2931 7ff848f4f777-7ff848f4f7a8 2929->2931 2932 7ff848f4f771 2929->2932 2930->2929 2932->2931
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e99049d2fe4564c375762c5a46bb4b5dfb7169b5b13685c27a6dbd02b86fda4
                                • Instruction ID: c24a59d47de548c7f81f09d1a3f35af27052f3d4f95de4be55ecc7d14a77a4c9
                                • Opcode Fuzzy Hash: 1e99049d2fe4564c375762c5a46bb4b5dfb7169b5b13685c27a6dbd02b86fda4
                                • Instruction Fuzzy Hash: A0513532D0DE594FE708EB6CA8092F97BE0EF65761F04027BD049D31D2DA28A846C785
                                Function 00007FF848F4A9A6 Relevance: 1.6, APIs: 1, Instructions: 145memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3009 7ff848f4a9a6-7ff848f4a9b3 3010 7ff848f4a9be-7ff848f4a9cf 3009->3010 3011 7ff848f4a9b5-7ff848f4a9bd 3009->3011 3012 7ff848f4a9da-7ff848f4aa90 VirtualProtect 3010->3012 3013 7ff848f4a9d1-7ff848f4a9d9 3010->3013 3011->3010 3017 7ff848f4aa98-7ff848f4aac7 3012->3017 3018 7ff848f4aa92 3012->3018 3013->3012 3018->3017
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 8461260ff8ea3f9f374aa7bb967e8645cfdf93a85ae6ecda51eb7ade29474d9e
                                • Instruction ID: cb81713ef22fd2240e9b09479f93d7cf8b3b00a5d42a6b2d85b4c81bb5794eee
                                • Opcode Fuzzy Hash: 8461260ff8ea3f9f374aa7bb967e8645cfdf93a85ae6ecda51eb7ade29474d9e
                                • Instruction Fuzzy Hash: BE412931D0CB888FD719DBA898466F97BE1EF66721F04026FD049D32D2CF686846C795
                                Function 00007FF848F4F698 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3020 7ff848f4f698-7ff848f4f69f 3021 7ff848f4f6aa-7ff848f4f71d 3020->3021 3022 7ff848f4f6a1-7ff848f4f6a9 3020->3022 3026 7ff848f4f7a9-7ff848f4f7ad 3021->3026 3027 7ff848f4f723-7ff848f4f728 3021->3027 3022->3021 3028 7ff848f4f732-7ff848f4f76f SetWindowsHookExW 3026->3028 3029 7ff848f4f72f-7ff848f4f730 3027->3029 3030 7ff848f4f777-7ff848f4f7a8 3028->3030 3031 7ff848f4f771 3028->3031 3029->3028 3031->3030
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3292346373.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ff848f40000_Mxscspd_BelphegorShell.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 490ca7a1cd9744275c5e402ace5279e3d2617ea3b1c7e6653903f7cd5c0a6739
                                • Instruction ID: 99e11f28a9766dc98d08ee82f3d594af86df9f52bcbcf7ccbf625393325e708e
                                • Opcode Fuzzy Hash: 490ca7a1cd9744275c5e402ace5279e3d2617ea3b1c7e6653903f7cd5c0a6739
                                • Instruction Fuzzy Hash: 0631F73191CA485FDB18EB6C980A6F97BE1EB69321F00027FD049D3192CB64A856C795