Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scanned_V11230111111PDF-clean.exe

Overview

General Information

Sample Name:Scanned_V11230111111PDF-clean.exe
Analysis ID:723559
MD5:f1550a3b28bc977e1453701de0efc02b
SHA1:aa131521288d9b613ba277a31f14f9e0318f36c3
SHA256:68fa24f693d9b5955eb2a34a6fbbd3ac7b9e4e8efa53b17b6a94ddd01baab2fe
Tags:exe
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected DcRat
Antivirus detection for URL or domain
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • Scanned_V11230111111PDF-clean.exe (PID: 6128 cmdline: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe MD5: F1550A3B28BC977E1453701DE0EFC02B)
    • RegAsm.exe (PID: 2400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 4192 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 976 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5252 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5308 cmdline: cmd" /c copy "C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msdtc.exe (PID: 1128 cmdline: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F1550A3B28BC977E1453701DE0EFC02B)
    • RegAsm.exe (PID: 4608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 5140 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6020 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5052 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 2980 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msdtc.exe (PID: 4936 cmdline: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F1550A3B28BC977E1453701DE0EFC02B)
    • RegAsm.exe (PID: 3216 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 5056 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6092 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4808 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 6064 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msdtc.exe (PID: 5068 cmdline: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F1550A3B28BC977E1453701DE0EFC02B)
  • cleanup
{"Server": "venom12345.duckdns.org,venomunverified.duckdns.org", "Ports": "4449", "Version": "5.0.5", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "13hY2L4QQkwZIszSJIRogZg0oshQmzWu", "Mutex": "Venom_RAT_HVNC_Mutex_Venom RAT_HVNC", "Certificate": "MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPLknDSnzkq9SuHSkPVyOxBFVoX/n/Y/SNOD2TO9vxmiaLG1rfOcnt7KPbQA3CJxOmVjCVDvtURayayaErAu6R280hq1HgF3iL7u8+5R9XY6JvXkaiKj2rYiEVKKWU55xGCztKNQAfUY7prw8li8QJk+J8vzitqKS1zz7G2UcGx1AgMBAAGjMjAwMB0GA1UdDgQWBBSyJslOSHG/21uHIrLBFtFJb3nJHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG/y6mnqPy3k1abtSAqAnm79siuBJ99b4uxdaTRVNIjATBtYUb3stSpQGefhnzNh4YS6w3SvTZk/BwuWyC0MKvHEbQhbk4JyoIcF4s2wzd5/mcTYK/kwPzAGUp+b93Fp38f3TRgFz+fWVZGheqUlWxzMzV1boXz2JX4pGQTypJBM", "ServerSignature": "NCg54PLd2n8AEDSHQSmNfMcGUM+NFZObzWko+AQswKpLMJ6ybKRb5J/+Cq0oCg903QfMlcKBN23ZkC2YZqHpY/w9FmT+MXpUrkZjZV9+O1vXR+LeUfqiH27cAqfZ+RK8uYYKf4G1fwan7KMM8u0MSEoMlv8ggcZoyyPmsFd4SMk=", "BDOS": "null", "Startup_Delay": "1", "Group": "Venom Clients"}
SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x3e6:$b2: DcRat By qwqdanchun1
SourceRuleDescriptionAuthorStrings
00000015.00000002.460762066.0000000002701000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x5f:$b2: DcRat By qwqdanchun1
00000015.00000002.458811669.0000000000AE4000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x27e87:$b2: DcRat By qwqdanchun1
0000000A.00000002.375311951.0000000004E38000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0xa107:$b2: DcRat By qwqdanchun1
00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
    00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x2fef:$b2: DcRat By qwqdanchun1
    • 0x9453:$b2: DcRat By qwqdanchun1
    • 0x9697:$b2: DcRat By qwqdanchun1
    Click to see the 14 entries
    SourceRuleDescriptionAuthorStrings
    1.0.RegAsm.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      1.0.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0xd198:$q1: Select * from Win32_CacheMemory
      • 0xd1d8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0xd226:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0xd274:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      No Sigma rule has matched
      Timestamp:185.216.71.4192.168.2.44449496932848152 10/14/22-20:02:21.540302
      SID:2848152
      Source Port:4449
      Destination Port:49693
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:185.216.71.4192.168.2.44449496932850454 10/14/22-20:02:21.540302
      SID:2850454
      Source Port:4449
      Destination Port:49693
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Scanned_V11230111111PDF-clean.exeVirustotal: Detection: 34%Perma Link
      Source: Scanned_V11230111111PDF-clean.exeAvira: detected
      Source: venom12345.duckdns.orgAvira URL Cloud: Label: malware
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeAvira: detection malicious, Label: HEUR/AGEN.1235903
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeVirustotal: Detection: 34%Perma Link
      Source: Scanned_V11230111111PDF-clean.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJoe Sandbox ML: detected
      Source: 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "venom12345.duckdns.org,venomunverified.duckdns.org", "Ports": "4449", "Version": "5.0.5", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "13hY2L4QQkwZIszSJIRogZg0oshQmzWu", "Mutex": "Venom_RAT_HVNC_Mutex_Venom RAT_HVNC", "Certificate": "MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPLknDSnzkq9SuHSkPVyOxBFVoX/n/Y/SNOD2TO9vxmiaLG1rfOcnt7KPbQA3CJxOmVjCVDvtURayayaErAu6R280hq1HgF3iL7u8+5R9XY6JvXkaiKj2rYiEVKKWU55xGCztKNQAfUY7prw8li8QJk+J8vzitqKS1zz7G2UcGx1AgMBAAGjMjAwMB0GA1UdDgQWBBSyJslOSHG/21uHIrLBFtFJb3nJHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG/y6mnqPy3k1abtSAqAnm79siuBJ99b4uxdaTRVNIjATBtYUb3stSpQGefhnzNh4YS6w3SvTZk/BwuWyC0MKvHEbQhbk4JyoIcF4s2wzd5/mcTYK/kwPzAGUp+b93Fp38f3TRgFz+fWVZGheqUlWxzMzV1boXz2JX4pGQTypJBM", "ServerSignature": "NCg54PLd2n8AEDSHQSmNfMcGUM+NFZObzWko+AQswKpLMJ6ybKRb5J/+Cq0oCg903QfMlcKBN23ZkC2YZqHpY/w9FmT+MXpUrkZjZV9+O1vXR+LeUfqiH27cAqfZ+RK8uYYKf4G1fwan7KMM8u0MSEoMlv8ggcZoyyPmsFd4SMk=", "BDOS": "null", "Startup_Delay": "1", "Group": "Venom Clients"}
      Source: Scanned_V11230111111PDF-clean.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: Scanned_V11230111111PDF-clean.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Networking

      barindex
      Source: TrafficSnort IDS: 2850454 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) 185.216.71.4:4449 -> 192.168.2.4:49693
      Source: TrafficSnort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 185.216.71.4:4449 -> 192.168.2.4:49693
      Source: Malware configuration extractorURLs: venom12345.duckdns.org
      Source: Malware configuration extractorURLs: venomunverified.duckdns.org
      Source: unknownDNS query: name: venom12345.duckdns.org
      Source: Joe Sandbox ViewASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE
      Source: global trafficTCP traffic: 192.168.2.4:49693 -> 185.216.71.4:4449
      Source: RegAsm.exe, 00000001.00000002.579062801.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: RegAsm.exe, 00000001.00000002.570896346.0000000000C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: RegAsm.exe, 00000001.00000002.570896346.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: RegAsm.exe, 00000001.00000003.337788147.0000000000D17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?729530c19ff95
      Source: RegAsm.exe, 00000001.00000002.574454780.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: unknownDNS traffic detected: queries for: venom12345.duckdns.org

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000001.00000000.320163813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Scanned_V11230111111PDF-clean.exe PID: 6128, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 1128, type: MEMORYSTR

      System Summary

      barindex
      Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
      Source: 00000015.00000002.460762066.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: 00000015.00000002.458811669.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: 0000000A.00000002.375311951.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: 00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: 00000001.00000002.579062801.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: 0000000A.00000002.369404467.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: Process Memory Space: RegAsm.exe PID: 4608, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: Process Memory Space: RegAsm.exe PID: 3216, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
      Source: Scanned_V11230111111PDF-clean.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
      Source: 00000015.00000002.460762066.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: 00000015.00000002.458811669.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: 0000000A.00000002.375311951.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: 00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: 00000001.00000002.579062801.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: 0000000A.00000002.369404467.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: Process Memory Space: RegAsm.exe PID: 4608, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: Process Memory Space: RegAsm.exe PID: 3216, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F2E8D01_2_00F2E8D0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F2ACC01_2_00F2ACC0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F29FE81_2_00F29FE8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F221091_2_00F22109
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F215901_2_00F21590
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F215801_2_00F21580
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F29CA01_2_00F29CA0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0260210910_2_02602109
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0260158F10_2_0260158F
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0260159010_2_02601590
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0253210921_2_02532109
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0253159021_2_02531590
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0253158021_2_02531580
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeCode function: 9_2_011E3C80 CreateProcessAsUserA,9_2_011E3C80
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F22560 NtProtectVirtualMemory,1_2_00F22560
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00F22109 NtProtectVirtualMemory,1_2_00F22109
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02602560 NtProtectVirtualMemory,10_2_02602560
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02602109 NtProtectVirtualMemory,10_2_02602109
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_02532560 NtProtectVirtualMemory,21_2_02532560
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_02532109 NtProtectVirtualMemory,21_2_02532109
      Source: Scanned_V11230111111PDF-clean.exe, 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe, vs Scanned_V11230111111PDF-clean.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: Scanned_V11230111111PDF-clean.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: msdtc.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: Scanned_V11230111111PDF-clean.exeVirustotal: Detection: 34%
      Source: Scanned_V11230111111PDF-clean.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeFile created: C:\Users\user\AppData\Roaming\msdtcJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@43/7@1/1
      Source: Scanned_V11230111111PDF-clean.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1316:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3616:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Scanned_V11230111111PDF-clean.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Scanned_V11230111111PDF-clean.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02602627 push ecx; retf 10_2_02602636
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02601430 push eax; retf 10_2_0260143E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02601409 push eax; retf 10_2_02601416
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_026012A9 push ecx; retf 10_2_026012B6
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02600568 push esp; retf 10_2_02600576
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02600730 push eax; retf 10_2_0260073E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_026001B0 push esi; retf 10_2_026001CF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_02601190 push ecx; retf 10_2_0260119E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0260019D push ebp; retf 10_2_026001AA
      Source: initial sampleStatic PE information: section name: .text entropy: 7.692545334541179
      Source: initial sampleStatic PE information: section name: .text entropy: 7.692545334541179
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to dropped file

      Boot Survival

      barindex
      Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000001.00000000.320163813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Scanned_V11230111111PDF-clean.exe PID: 6128, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 1128, type: MEMORYSTR
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000001.00000000.320163813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Scanned_V11230111111PDF-clean.exe PID: 6128, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 1128, type: MEMORYSTR
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe TID: 6112Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4700Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5148Thread sleep time: -5534023222112862s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5148Thread sleep count: 103 > 30Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 644Thread sleep count: 9793 > 30Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe TID: 5364Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 588Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe TID: 4736Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 784Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9793Jump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: RegAsm.exe, 00000001.00000003.478955579.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
      Source: RegAsm.exe, 00000001.00000002.579440815.0000000004F35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000003.478955579.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: RegAsm.exe, 00000001.00000002.579062801.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8|
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 412000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 414000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 609008Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 720000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 722000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 732000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 734000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 5C9008Jump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 720000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 720000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
      Source: RegAsm.exe, 00000001.00000002.572698870.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.574785415.0000000002BCF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.572613316.0000000002A83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeQueries volume information: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeQueries volume information: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeQueries volume information: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeQueries volume information: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe VolumeInformation
      Source: C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000001.00000000.320163813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Scanned_V11230111111PDF-clean.exe PID: 6128, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 1128, type: MEMORYSTR
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
      Source: Scanned_V11230111111PDF-clean.exe, 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, msdtc.exe, 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
      Source: Scanned_V11230111111PDF-clean.exe, 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, msdtc.exe, 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: procexp.exe
      Source: Scanned_V11230111111PDF-clean.exe, 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, msdtc.exe, 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2400, type: MEMORYSTR
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      1
      Valid Accounts
      1
      Windows Management Instrumentation
      1
      Valid Accounts
      1
      Valid Accounts
      1
      Masquerading
      OS Credential Dumping121
      Security Software Discovery
      Remote Services1
      Archive Collected Data
      Exfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts2
      Scheduled Task/Job
      2
      Scheduled Task/Job
      1
      Access Token Manipulation
      1
      Valid Accounts
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Non-Standard Port
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)1
      DLL Side-Loading
      312
      Process Injection
      1
      Access Token Manipulation
      Security Account Manager21
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Non-Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)2
      Scheduled Task/Job
      1
      Disable or Modify Tools
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput CaptureScheduled Transfer21
      Application Layer Protocol
      SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon Script1
      DLL Side-Loading
      21
      Virtualization/Sandbox Evasion
      LSA Secrets1
      Remote System Discovery
      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common312
      Process Injection
      Cached Domain Credentials13
      System Information Discovery
      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items12
      Obfuscated Files or Information
      DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
      Software Packing
      Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
      DLL Side-Loading
      /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 723559 Sample: Scanned_V11230111111PDF-clean.exe Startdate: 14/10/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 7 other signatures 2->70 7 msdtc.exe 3 2->7         started        10 Scanned_V11230111111PDF-clean.exe 4 2->10         started        13 msdtc.exe 2 2->13         started        15 msdtc.exe 2->15         started        process3 file4 72 Antivirus detection for dropped file 7->72 74 Multi AV Scanner detection for dropped file 7->74 76 Machine Learning detection for dropped file 7->76 17 cmd.exe 7->17         started        19 cmd.exe 1 7->19         started        34 2 other processes 7->34 60 C:\...\Scanned_V11230111111PDF-clean.exe.log, CSV 10->60 dropped 21 cmd.exe 3 10->21         started        24 cmd.exe 2 10->24         started        27 RegAsm.exe 1 2 10->27         started        30 cmd.exe 1 10->30         started        78 Writes to foreign memory regions 13->78 80 Allocates memory in foreign processes 13->80 82 Injects a PE file into a foreign processes 13->82 32 cmd.exe 13->32         started        36 3 other processes 13->36 signatures5 process6 dnsIp7 50 2 other processes 17->50 38 conhost.exe 19->38         started        56 C:\Users\user\AppData\Roaming\...\msdtc.exe, PE32 21->56 dropped 58 C:\Users\user\...\msdtc.exe:Zone.Identifier, ASCII 21->58 dropped 40 conhost.exe 21->40         started        84 Uses schtasks.exe or at.exe to add and modify task schedules 24->84 42 conhost.exe 24->42         started        62 venom12345.duckdns.org 185.216.71.4, 4449, 49693 CLOUDCOMPUTINGDE Germany 27->62 44 conhost.exe 30->44         started        46 schtasks.exe 1 30->46         started        52 2 other processes 32->52 48 conhost.exe 34->48         started        54 2 other processes 36->54 file8 signatures9 process10

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      Scanned_V11230111111PDF-clean.exe35%VirustotalBrowse
      Scanned_V11230111111PDF-clean.exe100%AviraHEUR/AGEN.1235903
      Scanned_V11230111111PDF-clean.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\msdtc\msdtc.exe100%AviraHEUR/AGEN.1235903
      C:\Users\user\AppData\Roaming\msdtc\msdtc.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\msdtc\msdtc.exe35%VirustotalBrowse
      SourceDetectionScannerLabelLinkDownload
      0.0.Scanned_V11230111111PDF-clean.exe.440000.0.unpack100%AviraHEUR/AGEN.1235903Download File
      1.0.RegAsm.exe.400000.0.unpack100%AviraHEUR/AGEN.1202835Download File
      SourceDetectionScannerLabelLink
      venom12345.duckdns.org3%VirustotalBrowse
      SourceDetectionScannerLabelLink
      venomunverified.duckdns.org3%VirustotalBrowse
      venomunverified.duckdns.org0%Avira URL Cloudsafe
      venom12345.duckdns.org3%VirustotalBrowse
      venom12345.duckdns.org100%Avira URL Cloudmalware
      NameIPActiveMaliciousAntivirus DetectionReputation
      venom12345.duckdns.org
      185.216.71.4
      truetrueunknown
      NameMaliciousAntivirus DetectionReputation
      venomunverified.duckdns.orgtrue
      • 3%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      venom12345.duckdns.orgtrue
      • 3%, Virustotal, Browse
      • Avira URL Cloud: malware
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.574454780.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        185.216.71.4
        venom12345.duckdns.orgGermany
        43659CLOUDCOMPUTINGDEtrue
        Joe Sandbox Version:36.0.0 Rainbow Opal
        Analysis ID:723559
        Start date and time:2022-10-14 20:01:13 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 7m 39s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:Scanned_V11230111111PDF-clean.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:33
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@43/7@1/1
        EGA Information:
        • Successful, ratio: 71.4%
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 85
        • Number of non-executed functions: 3
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
        • Excluded IPs from analysis (whitelisted): 8.238.85.254
        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
        • Execution Graph export aborted for target Scanned_V11230111111PDF-clean.exe, PID 6128 because it is empty
        • Execution Graph export aborted for target msdtc.exe, PID 5068 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        TimeTypeDescription
        20:02:19Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe"
        20:02:22API Interceptor1x Sleep call for process: RegAsm.exe modified
        No context
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        CLOUDCOMPUTINGDEfile.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        Order PO-40930217.exeGet hashmaliciousBrowse
        • 185.216.71.120
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        Ao0J2ukVd6.exeGet hashmaliciousBrowse
        • 185.216.71.58
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        file.exeGet hashmaliciousBrowse
        • 85.31.46.167
        No context
        No context
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62397 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
        Category:dropped
        Size (bytes):62397
        Entropy (8bit):7.995531606726499
        Encrypted:true
        SSDEEP:1536:6VT6EGIYmIA2VKd1ZepH+41ZnDVrFyv+7XAZa7pAn:A6JI5IjOcTZDGvYXAZhn
        MD5:D15AAA7C9BE910A9898260767E2490E1
        SHA1:2090C53F8D9FC3FBDBAFD3A1E4DC25520EB74388
        SHA-256:F8EBAAF487CBA0C81A17C8CD680BDD2DD8E90D2114ECC54844CFFC0CC647848E
        SHA-512:7E1C1A683914B961B5CC2FE5E4AE288B60BAB43BFAA21CE4972772AA0589615C19F57E672E1D93E50A7ED7B76FBD2F1B421089DCAED277120B93F8E91B18AF94
        Malicious:false
        Preview:MSCF............,...................I.................-UIh .authroot.stl......5..CK..<Tk...c_.d......F...,Y.d...!......$E.KB..D..%*J..}f...grs..}?>...s..<...=g.h.=W..W....b.i.....L......1:..c.0......1t.2t......w..........i,#.#..V..r...7.....W.)++.lF..he.4|.../F.0:0...].#..I(.#.-... ...(.J....2{..`.hO..Gl+.be7y.j....)........<...........s.W..../\./...){n...s.........V..}.K.Wv3Y...A.9w9.Ea.x.W........\.;.i..d^...[..f.p..B..s.....60.<!.(.........!s0.#..!7.....J..........F...0...C..8..8.....4...<.X...!U.%.GN*.!....*G........F<..0.1..ZZz,....X.U.L..S......9.)..fy0Z.(.VS.{...{.=.h..a'.>U...AG....pu=.P}.......s.`@t((..JVdN.....!_@...|.,..'0..3.`.DU...%0.Gi.4sv.#..5.U.?.......p.."........9.|..j.<....b`.,...~..I.T.{..cY..X>....Z/..._.K>..>.3.#>X.%..b...5.YG.E.V._\?.....EpF}.....jz...,.f "h.{........U......k......U...3v....G.l[..x*.{...=...r.....$.I....>.1..~.\k.W..[....X...@xp..,.qf.B..<yN:fL~ <............>.#...F...z....yw...N.o..,.c../.:..Ql...y.
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        File Type:data
        Category:modified
        Size (bytes):328
        Entropy (8bit):3.171395630613584
        Encrypted:false
        SSDEEP:6:kKDzWEl6FvXiN+SkQlPlEGYRMY9z+4KlDA3RUe6l61:rzWE45XJkPlE99SNxAhUe6c1
        MD5:F04D40D674EA4F1240874D666ACED1C0
        SHA1:F4361CC1ECD1DB03826CE967F14F505529A7829E
        SHA-256:9FC483737D3147997EBC7F1BD6673616B65A92243849B7D5FD2FA04744D375B2
        SHA-512:EC1595658FACF5F69BD7638414799AA8FF17C8686AD362B8617B8B1E2FC255AECCA0BFDCF28819D57A434B1FF6C4F9D6281EAD76DF7377772214FC55A5C1E511
        Malicious:false
        Preview:p...... .........3......(....................................................... ........K..........&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.4.b.7.9.5.8.b.d.2.d.8.1.:.0."...
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        File Type:CSV text
        Category:dropped
        Size (bytes):425
        Entropy (8bit):5.340009400190196
        Encrypted:false
        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
        MD5:CC144808DBAF00E03294347EADC8E779
        SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
        SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
        SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
        Malicious:false
        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
        Process:C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe
        File Type:CSV text
        Category:dropped
        Size (bytes):425
        Entropy (8bit):5.340009400190196
        Encrypted:false
        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
        MD5:CC144808DBAF00E03294347EADC8E779
        SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
        SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
        SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
        Malicious:true
        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
        Process:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        File Type:CSV text
        Category:dropped
        Size (bytes):425
        Entropy (8bit):5.340009400190196
        Encrypted:false
        SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
        MD5:CC144808DBAF00E03294347EADC8E779
        SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
        SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
        SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
        Malicious:false
        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
        Process:C:\Windows\SysWOW64\cmd.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):281600
        Entropy (8bit):5.674396618343541
        Encrypted:false
        SSDEEP:3072:GzeGuUytW+M1Qkh36d5cBWHc8iXcIQ8u7RTSDL+TyJiAdlkgSjOohYAj:GtzV+/iqXG0jisHTyndlLSnhYAj
        MD5:F1550A3B28BC977E1453701DE0EFC02B
        SHA1:AA131521288D9B613BA277A31F14F9E0318F36C3
        SHA-256:68FA24F693D9B5955EB2A34A6FBBD3AC7B9E4E8EFA53B17B6A94DDD01BAAB2FE
        SHA-512:DFD6678D68CA76DBF8D360E5EA9370552A1CAAEE210A60628B8EE7435B3CB70150243F88999FAC69D3130D94AEFFB70C75C1DAF93D15B0E0D3B05622616B4BB0
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: Virustotal, Detection: 35%, Browse
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.Ic.................`..........`.... ........@.. ....................................@.....................................J.................................................................................... ............... ..H............text...f_... ...`.................. ..`.rsrc................b..............@..@.reloc...............J..............@..B................F.......H........<...<...........y..z.............................................(F...*.0..s........,7~7...~5...~2...~/...+%+*+/ ....+/+4~8...+4+6_,.~;...+3&.-.*(n...+.(q...+.(t...+.(g...+.(w...+...+.(z...+.(}...+....(F...*.0..........+O8P....8P...+*~=...+M+N+O+W+[.0%,.2.+X.-..91.......-..X..~?....(.....,.2..%,.*.*.8.....8.....8.....+..+.(....8.....8.....8.....+....0...........+.+.*.+..+..0...........+.+.*.+..+..0...........+.+.*.+..+...(F...*.0..........+.+.+.+.*s....+..+..+.o....+
        Process:C:\Windows\SysWOW64\cmd.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:3:ggPYV:rPYV
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:true
        Preview:[ZoneTransfer]....ZoneId=0
        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):5.674396618343541
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        • Win32 Executable (generic) a (10002005/4) 49.78%
        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        File name:Scanned_V11230111111PDF-clean.exe
        File size:281600
        MD5:f1550a3b28bc977e1453701de0efc02b
        SHA1:aa131521288d9b613ba277a31f14f9e0318f36c3
        SHA256:68fa24f693d9b5955eb2a34a6fbbd3ac7b9e4e8efa53b17b6a94ddd01baab2fe
        SHA512:dfd6678d68ca76dbf8d360e5ea9370552a1caaee210a60628b8ee7435b3cb70150243f88999fac69d3130d94aeffb70c75c1daf93d15b0e0d3b05622616b4bb0
        SSDEEP:3072:GzeGuUytW+M1Qkh36d5cBWHc8iXcIQ8u7RTSDL+TyJiAdlkgSjOohYAj:GtzV+/iqXG0jisHTyndlLSnhYAj
        TLSH:01546C067B808E27C4183738A8A38734233AED56FEB5C70FB698B6197FB27D549125C5
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.Ic.................`..........`.... ........@.. ....................................@................................
        Icon Hash:b46ee4c4ecd0e830
        Entrypoint:0x417f60
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Time Stamp:0x63499D27 [Fri Oct 14 17:32:23 2022 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add al, 00h
        add eax, dword ptr [eax]
        add byte ptr [eax], al
        xor byte ptr [eax], al
        add byte ptr [eax+0000000Eh], al
        je 00007F4240CBB883h
        add al, byte ptr [eax+00000010h]
        inc esi
        loop 00007F4240CBB8A4h
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x17f160x4a.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x2e6a0.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x15f660x16000False0.8551580255681818data7.692545334541179IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rsrc0x180000x2e6a00x2e800False0.380859375data4.361154876770736IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x480000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountry
        RT_ICON0x180ac0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584
        RT_ICON0x288f80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016
        RT_ICON0x31dc40x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560
        RT_ICON0x385d00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600
        RT_ICON0x3da7c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
        RT_ICON0x41cc80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
        RT_ICON0x442940x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
        RT_ICON0x453600x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
        RT_ICON0x45d0c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
        RT_GROUP_ICON0x461c20x84data
        RT_VERSION0x462820x1f8dataEnglishUnited States
        RT_MANIFEST0x464b60x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
        DLLImport
        mscoree.dll_CorExeMain
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States
        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        185.216.71.4192.168.2.44449496932848152 10/14/22-20:02:21.540302TCP2848152ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)444949693185.216.71.4192.168.2.4
        185.216.71.4192.168.2.44449496932850454 10/14/22-20:02:21.540302TCP2850454ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)444949693185.216.71.4192.168.2.4
        TimestampSource PortDest PortSource IPDest IP
        Oct 14, 2022 20:02:21.450500011 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:21.477988005 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:21.478084087 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:21.511540890 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:21.540302038 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:21.545551062 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:21.576325893 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:21.633656025 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:28.169265032 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:28.245615959 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:28.245832920 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:28.324682951 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:38.525011063 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:38.602965117 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:38.604311943 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:38.683777094 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:38.699460030 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:38.837662935 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:38.865046024 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:39.025204897 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:39.228831053 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:39.309890985 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:39.309994936 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:39.389702082 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:46.155585051 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:46.338332891 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:46.365402937 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:46.525846004 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:48.812150955 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:48.890791893 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:48.890938044 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:48.964538097 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:49.026278019 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:49.053551912 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:49.101815939 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:49.190079927 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:49.190274954 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:49.270833969 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:59.102849960 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:59.180946112 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:59.181046963 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:59.240190029 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:59.292562962 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:59.320094109 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:59.339601040 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:59.416662931 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:02:59.416743994 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:02:59.494013071 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:09.435960054 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:09.513834000 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:09.517749071 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:09.546871901 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:09.684073925 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:09.711291075 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:09.788532019 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:09.866826057 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:09.869837046 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:09.947679043 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:16.045141935 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:16.090862989 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:16.118139982 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:16.168993950 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:19.771892071 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:19.849715948 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:19.849777937 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:19.928585052 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:20.699259043 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:20.794411898 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:20.821676970 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:20.903773069 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:20.990256071 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:21.067761898 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:21.067862988 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:21.146642923 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:30.094578028 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:30.187001944 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:30.187071085 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:30.242351055 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:30.295268059 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:30.322398901 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:30.398165941 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:30.473654032 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:30.473828077 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:30.544945002 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:40.383671999 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:40.451844931 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:40.452039957 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:40.498953104 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:40.546174049 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:40.573862076 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:40.624268055 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:40.732413054 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:40.809856892 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:40.809937954 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:40.887815952 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:46.449521065 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:46.499759912 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:46.527158976 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:46.577972889 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:50.597248077 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:50.676943064 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:50.677140951 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:50.706593037 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:50.750170946 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:50.778158903 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:50.796410084 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:50.874600887 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:03:50.874803066 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:03:50.955717087 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:00.930149078 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:01.007909060 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:01.010257006 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:01.088882923 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:01.108876944 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:01.157269955 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:01.184572935 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:01.235390902 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:02.593801022 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:02.680850029 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:02.680985928 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:02.758719921 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:11.234200001 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:11.321782112 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:11.327121019 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:11.397279024 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:11.449935913 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:11.477072001 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:11.499174118 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:11.577646971 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:11.579164028 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:11.656702995 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:16.126669884 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:16.169179916 CEST496934449192.168.2.4185.216.71.4
        Oct 14, 2022 20:04:16.203320980 CEST444949693185.216.71.4192.168.2.4
        Oct 14, 2022 20:04:16.278552055 CEST496934449192.168.2.4185.216.71.4
        TimestampSource PortDest PortSource IPDest IP
        Oct 14, 2022 20:02:21.326102972 CEST6008053192.168.2.48.8.8.8
        Oct 14, 2022 20:02:21.432149887 CEST53600808.8.8.8192.168.2.4
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Oct 14, 2022 20:02:21.326102972 CEST192.168.2.48.8.8.80xc8f3Standard query (0)venom12345.duckdns.orgA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Oct 14, 2022 20:02:21.432149887 CEST8.8.8.8192.168.2.40xc8f3No error (0)venom12345.duckdns.org185.216.71.4A (IP address)IN (0x0001)false

        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:0
        Start time:20:02:07
        Start date:14/10/2022
        Path:C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe
        Imagebase:0x440000
        File size:281600 bytes
        MD5 hash:F1550A3B28BC977E1453701DE0EFC02B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.324762257.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        Reputation:low

        Target ID:1
        Start time:20:02:15
        Start date:14/10/2022
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Imagebase:0x650000
        File size:64616 bytes
        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.574675951.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.579062801.0000000004ED6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.320163813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.572239214.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        Reputation:high

        Target ID:2
        Start time:20:02:16
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:3
        Start time:20:02:16
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:4
        Start time:20:02:16
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:5
        Start time:20:02:16
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:6
        Start time:20:02:16
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd" /c copy "C:\Users\user\Desktop\Scanned_V11230111111PDF-clean.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:7
        Start time:20:02:16
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Imagebase:0x1370000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:8
        Start time:20:02:17
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Target ID:9
        Start time:20:02:19
        Start date:14/10/2022
        Path:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Imagebase:0x990000
        File size:281600 bytes
        MD5 hash:F1550A3B28BC977E1453701DE0EFC02B
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.360615457.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
        Antivirus matches:
        • Detection: 100%, Avira
        • Detection: 100%, Joe Sandbox ML
        • Detection: 35%, Virustotal, Browse

        Target ID:10
        Start time:20:02:30
        Start date:14/10/2022
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Imagebase:0x4c0000
        File size:64616 bytes
        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.375311951.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.369404467.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

        Target ID:11
        Start time:20:02:31
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:12
        Start time:20:02:31
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:13
        Start time:20:02:31
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:14
        Start time:20:02:31
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:15
        Start time:20:02:31
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:16
        Start time:20:02:32
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Imagebase:0x1370000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:17
        Start time:20:02:32
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:19
        Start time:20:03:01
        Start date:14/10/2022
        Path:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Imagebase:0x910000
        File size:281600 bytes
        MD5 hash:F1550A3B28BC977E1453701DE0EFC02B
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:.Net C# or VB.NET

        Target ID:21
        Start time:20:03:12
        Start date:14/10/2022
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Imagebase:0x340000
        File size:64616 bytes
        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.460762066.0000000002701000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000015.00000002.458811669.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

        Target ID:22
        Start time:20:03:13
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:23
        Start time:20:03:13
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:24
        Start time:20:03:13
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:25
        Start time:20:03:14
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:26
        Start time:20:03:14
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Imagebase:0xd90000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:27
        Start time:20:03:14
        Start date:14/10/2022
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Imagebase:0x1370000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:28
        Start time:20:03:14
        Start date:14/10/2022
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7c72c0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Target ID:30
        Start time:20:04:00
        Start date:14/10/2022
        Path:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Imagebase:0x750000
        File size:281600 bytes
        MD5 hash:F1550A3B28BC977E1453701DE0EFC02B
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:.Net C# or VB.NET

        Reset < >
          Memory Dump Source
          • Source File: 00000000.00000002.323957698.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_a2d000_Scanned_V11230111111PDF-clean.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6201fe07678beef0e3ee8c4dfab7014e0ffcf8d018c84f24cb5cd2cd8db6a8f3
          • Instruction ID: 9de24c3bd6d5126a40fb248213d3cebdbcf084683f068c36498d8781dd41c81f
          • Opcode Fuzzy Hash: 6201fe07678beef0e3ee8c4dfab7014e0ffcf8d018c84f24cb5cd2cd8db6a8f3
          • Instruction Fuzzy Hash: 3321F5B1504240DFDB05EF18E9C4F26BB65FB98324F24C579E9094B247C336E856C7A2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000000.00000002.323957698.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_a2d000_Scanned_V11230111111PDF-clean.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 184647470e7b37bd629d7a5ddfa7683b521182ff152f615f8efd1742cd9cb634
          • Instruction ID: 65c9e9c2fbcf53968605d9b8227d0fdb336f194f40251d47d21712d959cb57de
          • Opcode Fuzzy Hash: 184647470e7b37bd629d7a5ddfa7683b521182ff152f615f8efd1742cd9cb634
          • Instruction Fuzzy Hash: A521D6B1504240DFDB15DF18E9C0B26BB75FB98328F24C579E9094B247C376D855C6A1
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000000.00000002.323957698.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_a2d000_Scanned_V11230111111PDF-clean.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction ID: 809d129c2b0c72f05a798e18ea7fbd19c0a6a5efa7904eeb69684a7ad94a1d70
          • Opcode Fuzzy Hash: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction Fuzzy Hash: 1F11AF76404280CFDB15DF14D9C4B16BF71FB94324F24C6A9D8094B617C336E85ACBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000000.00000002.323957698.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_a2d000_Scanned_V11230111111PDF-clean.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction ID: 12b3fd9c225dc31a3cbb99ae2d6649f5553f9c055e61d0fc0775c5f19abfe584
          • Opcode Fuzzy Hash: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction Fuzzy Hash: 7A11B176404280CFDB12CF14D9C4B16BF71FB94324F24C6A9D8054B617C336D85ACBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Execution Graph

          Execution Coverage:18.9%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:33.3%
          Total number of Nodes:9
          Total number of Limit Nodes:0
          execution_graph 11330 f259f0 11331 f25a0e 11330->11331 11334 f255cc 11331->11334 11333 f25a45 11335 f27510 LoadLibraryA 11334->11335 11337 f275ec 11335->11337 11338 f22560 11339 f225ae NtProtectVirtualMemory 11338->11339 11341 f225f8 11339->11341

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 285 f22109-f2214c 286 f22158-f2215b 285->286 287 f2214e-f22150 285->287 288 f22161-f22184 286->288 289 f224c6-f224f5 286->289 287->289 290 f22156 287->290 293 f22190-f22193 288->293 294 f22186-f22188 288->294 305 f224fc-f22500 289->305 290->288 293->289 297 f22199-f221bf 293->297 294->289 296 f2218e 294->296 296->297 300 f221c1-f221c5 297->300 301 f221cd-f221d1 297->301 300->289 303 f221cb 300->303 301->289 304 f221d7-f221e5 301->304 303->304 307 f221e7-f221f2 304->307 308 f221f4-f221fc 304->308 309 f22502-f2250c 305->309 310 f2250d-f225f6 NtProtectVirtualMemory 305->310 311 f221ff-f22201 307->311 308->311 339 f225f8-f225fe 310->339 340 f225ff-f22624 310->340 312 f22203-f22205 311->312 313 f2220d-f22210 311->313 312->289 315 f2220b 312->315 313->289 316 f22216-f22239 313->316 315->316 320 f22245-f22248 316->320 321 f2223b-f2223d 316->321 320->289 323 f2224e-f22272 320->323 321->289 322 f22243 321->322 322->323 327 f22274-f22276 323->327 328 f2227e-f22281 323->328 327->289 329 f2227c 327->329 328->289 330 f22287-f222a8 328->330 329->330 334 f222b4-f222b7 330->334 335 f222aa-f222ac 330->335 334->289 337 f222bd-f222e1 334->337 335->289 336 f222b2 335->336 336->337 343 f222e3-f222e5 337->343 344 f222ed-f222f0 337->344 339->340 343->289 346 f222eb 343->346 344->289 347 f222f6-f2231a 344->347 346->347 350 f22326-f22329 347->350 351 f2231c-f2231e 347->351 350->289 353 f2232f-f22353 350->353 351->289 352 f22324 351->352 352->353 355 f22355-f22357 353->355 356 f2235f-f22362 353->356 355->289 357 f2235d 355->357 356->289 358 f22368-f2237b 356->358 357->358 358->305 360 f22381-f223b0 358->360 361 f223b2-f223b4 360->361 362 f223bc-f223bf 360->362 361->289 364 f223ba 361->364 362->289 363 f223c5-f223dd 362->363 366 f223e9-f223ec 363->366 367 f223df-f223e1 363->367 364->363 366->289 369 f223f2-f22409 366->369 367->289 368 f223e7 367->368 368->369 372 f224b5-f224be 369->372 373 f2240f-f22432 369->373 372->360 376 f224c4 372->376 374 f22434-f22436 373->374 375 f2243e-f22441 373->375 374->289 378 f2243c 374->378 375->289 377 f22447-f22477 375->377 376->305 380 f22479-f2247b 377->380 381 f2247f-f22482 377->381 378->377 380->289 382 f2247d 380->382 381->289 383 f22484-f224a1 381->383 382->383 385 f224a3-f224a5 383->385 386 f224a9-f224ac 383->386 385->289 387 f224a7 385->387 386->289 388 f224ae-f224b3 386->388 387->388 388->305
          APIs
          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00F225E9
          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID: MemoryProtectVirtual
          • String ID:
          • API String ID: 2706961497-0
          • Opcode ID: 19a2890b8701fcdbaf14be888ddc2ba5e309c1f6a91170cf874adbdd36e594d5
          • Instruction ID: 82705aac12a33622cdb5c0311511b30ba6eeb3e6f855f256c9836a6fa941726a
          • Opcode Fuzzy Hash: 19a2890b8701fcdbaf14be888ddc2ba5e309c1f6a91170cf874adbdd36e594d5
          • Instruction Fuzzy Hash: A7E1B331F0022497DB54DAADAC903AE76A3AFC4324F19823ADA15DB7C5EB34DD016751
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 389 f2e8d0-f2e8ee 392 f2e8f0-f2e8f7 389->392 393 f2e95c-f2e98b 389->393 392->393 394 f2e991-f2e998 393->394 395 f2ebbd-f2ebe5 393->395 396 f2e9a4-f2e9c3 394->396 397 f2e99a-f2e9a3 394->397 410 f2ebec-f2ecf1 395->410 399 f2ebb0-f2ebbc 396->399 400 f2e9c9-f2e9ea 396->400 401 f2e9f2-f2ea20 400->401 402 f2e9ec-f2e9f0 400->402 406 f2ea25-f2eaab call f2dad0 401->406 402->401 403 f2ea22 402->403 403->406 464 f2eaad call f2e8d0 406->464 465 f2eaad call f2e920 406->465 466 f2eaad call f2ec08 406->466 427 f2ecf6-f2ed04 410->427 421 f2eab3-f2eac1 call f2e040 425 f2eac3-f2eac5 421->425 426 f2eb20-f2eb24 421->426 430 f2eb09-f2eb18 425->430 428 f2eb26-f2eb33 426->428 429 f2eb67-f2eb6e 426->429 431 f2ed06-f2ed0c 427->431 432 f2ed0d-f2ed58 427->432 434 f2eb47-f2eb59 428->434 435 f2eb35-f2eb3a 428->435 436 f2eb82-f2eb86 429->436 437 f2eb70-f2eb77 429->437 430->426 433 f2eb1a 430->433 431->432 454 f2ed62-f2ed66 432->454 455 f2ed5a 432->455 440 f2eac7-f2ead3 433->440 441 f2eb1c-f2eb1e 433->441 443 f2eba8-f2ebad 434->443 451 f2eb5b-f2eb65 434->451 435->434 445 f2eb3c-f2eb45 435->445 436->443 444 f2eb88-f2eb8f 436->444 437->436 438 f2eb79 437->438 438->436 440->410 447 f2ead9-f2eb08 440->447 441->426 441->440 443->399 444->443 446 f2eb91-f2eba7 444->446 445->443 447->430 451->443 457 f2ed82 454->457 458 f2ed68-f2ed74 454->458 455->454 462 f2ed83 457->462 460 f2ed76-f2ed79 458->460 461 f2ed7c 458->461 460->461 461->457 462->462 464->421 465->421 466->421
          Strings
          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID: <pl
          • API String ID: 0-3342612563
          • Opcode ID: d4e6a40da87db1fa4fc875a11ccdee150e0e317bbb9eb97e9597a412200c0e99
          • Instruction ID: 707ffec6829583de00b1c2e3891856808992bd8fec1ff57546b4b126c6425cf4
          • Opcode Fuzzy Hash: d4e6a40da87db1fa4fc875a11ccdee150e0e317bbb9eb97e9597a412200c0e99
          • Instruction Fuzzy Hash: 4AE18C71E00219CFCB14DFA8D484AEEBBB2FF88314F25855AE515AB351DB34AD46CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1126 f22560-f225f6 NtProtectVirtualMemory 1129 f225f8-f225fe 1126->1129 1130 f225ff-f22624 1126->1130 1129->1130
          APIs
          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00F225E9
          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID: MemoryProtectVirtual
          • String ID:
          • API String ID: 2706961497-0
          • Opcode ID: d07ae433f5366a7ea61e92ef5ccf49494206d87240a4b52ad41bcd1fe8bacee5
          • Instruction ID: 326f45a4d123ac6703c02a7df688cce9e87ade5c39ad505f5af9577cb32f886b
          • Opcode Fuzzy Hash: d07ae433f5366a7ea61e92ef5ccf49494206d87240a4b52ad41bcd1fe8bacee5
          • Instruction Fuzzy Hash: 552103B1D003099FCB10CFAAD984ADEFBF5FF48314F10842AE519A7200C7759904CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 120816b5af3532f0101950bc3481da4ebb8e48443e9f78614572aba2cd5c1627
          • Instruction ID: 982c874bb1cef4e96cc9b16b3177c90cb04cbc571ab69f64f26ea82d3a5456f7
          • Opcode Fuzzy Hash: 120816b5af3532f0101950bc3481da4ebb8e48443e9f78614572aba2cd5c1627
          • Instruction Fuzzy Hash: A9B14A70E00229CFDB10CFA9D8857DEBBF2AF88724F148129D815A7294EB759C55DF82
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 70ccc9121f420906b17f45ff9af92a806739b2b525a42d2e091f1d0d0e5f6304
          • Instruction ID: 99f25af66c1d6231e8731324ebd2375a9bd616873b45518b04bc266616a0eb93
          • Opcode Fuzzy Hash: 70ccc9121f420906b17f45ff9af92a806739b2b525a42d2e091f1d0d0e5f6304
          • Instruction Fuzzy Hash: ECB18F70E00619CFDB10CFA9E9857DDBBF2AF88314F148129D815AB394EB789845DB82
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 467 f27504-f27567 469 f275a0-f275ea LoadLibraryA 467->469 470 f27569-f27573 467->470 477 f275f3-f27624 469->477 478 f275ec-f275f2 469->478 470->469 471 f27575-f27577 470->471 472 f2759a-f2759d 471->472 473 f27579-f27583 471->473 472->469 475 f27587-f27596 473->475 476 f27585 473->476 475->475 479 f27598 475->479 476->475 482 f27626-f2762a 477->482 483 f27634 477->483 478->477 479->472 482->483 484 f2762c 482->484 485 f27635 483->485 484->483 485->485
          APIs
          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 47f7028fdfc0580fa0a99ee0121d38aff67804d13416f01bc1107f149335a146
          • Instruction ID: bef1778f45b69dfc65856276a569813abab55152fe97c7c11982a44fe1a16b15
          • Opcode Fuzzy Hash: 47f7028fdfc0580fa0a99ee0121d38aff67804d13416f01bc1107f149335a146
          • Instruction Fuzzy Hash: 723147B0D047598FDB14DFA9E8467DDFBB1FB08314F148129E815A7280D7749841CF91
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 486 f255cc-f27567 488 f275a0-f275ea LoadLibraryA 486->488 489 f27569-f27573 486->489 496 f275f3-f27624 488->496 497 f275ec-f275f2 488->497 489->488 490 f27575-f27577 489->490 491 f2759a-f2759d 490->491 492 f27579-f27583 490->492 491->488 494 f27587-f27596 492->494 495 f27585 492->495 494->494 498 f27598 494->498 495->494 501 f27626-f2762a 496->501 502 f27634 496->502 497->496 498->491 501->502 503 f2762c 501->503 504 f27635 502->504 503->502 504->504
          APIs
          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: 653b41e32b91ede1858425f2e2db216e96a8e93f1ee04a41fdf1d7224485b7f8
          • Instruction ID: ab79969c5bffd092b5b18c6d7267ad6e20443fef482d69bb234da375f532f0d9
          • Opcode Fuzzy Hash: 653b41e32b91ede1858425f2e2db216e96a8e93f1ee04a41fdf1d7224485b7f8
          • Instruction Fuzzy Hash: F03145B0D04759CFDB14DFA9E846B9EFBB1BB08314F148529E815AB380E7789881CF95
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.571361383.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_d2d000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: eab0aa82e417d18e72597eb4553f1cbec77751dcd0a50d53b942ed01d40cc741
          • Instruction ID: 0b74b5875a3e64b401f860cb255942f1a61ca72e720755d2f75d9f69af61a29d
          • Opcode Fuzzy Hash: eab0aa82e417d18e72597eb4553f1cbec77751dcd0a50d53b942ed01d40cc741
          • Instruction Fuzzy Hash: EA2107B1504240DFDB05EF10E9C0F26BB66FBA8328F34C569E9494B246C336E856C7B2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.571361383.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_d2d000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b1b1824f43b99516a3dc645dcebbfdd2397cc6bb7c6ab0d651b73c2d5db6fa2e
          • Instruction ID: 5bcf05fe8530242fd4513ed3af84fa10001a1083fd6406260be8866cdc2ab098
          • Opcode Fuzzy Hash: b1b1824f43b99516a3dc645dcebbfdd2397cc6bb7c6ab0d651b73c2d5db6fa2e
          • Instruction Fuzzy Hash: 4111D376404280CFDF11DF10D9C4B16BF72FB94324F28C6A9D8494B616C336E85ACBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6ffde7a09bea08129d5c5756dfdf5ccf8af003a341003dba45c44380badb3360
          • Instruction ID: 846bdb9d048406884dcd1d37c4615e983abd1cd000bf376ea4bc910e7fd6fa28
          • Opcode Fuzzy Hash: 6ffde7a09bea08129d5c5756dfdf5ccf8af003a341003dba45c44380badb3360
          • Instruction Fuzzy Hash: 67C19132F0022447DB1485BDACA03AE71976BE4335F6D8239DA51DBBC5EE38DD426389
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 16d112198fcb6846b666ab531b0094205525b40f636c4ae8ca1cb3dae1960ba3
          • Instruction ID: b8bf2208dc1369355bc2b40b33523ccf3135dccd8492a7ff14e1fda0f01028b4
          • Opcode Fuzzy Hash: 16d112198fcb6846b666ab531b0094205525b40f636c4ae8ca1cb3dae1960ba3
          • Instruction Fuzzy Hash: 0191A132F0032547DB0889AD9CA03EE71976FE4325F1D8139AA42CFB85EE78DD456389
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.571796736.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_1_2_f20000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: cb7dde20ebb247c146de52909e81a49151ec2506d6b96445de4b21a681663963
          • Instruction ID: b45434bf4c06f244911feb844d2871e91d38e9fc1cfba4e7fd02971330564444
          • Opcode Fuzzy Hash: cb7dde20ebb247c146de52909e81a49151ec2506d6b96445de4b21a681663963
          • Instruction Fuzzy Hash: D6918970E04219CFDF10CFA9D9857EEBBF2AF88314F148129E818E7294DBB49845DB91
          Uniqueness

          Uniqueness Score: -1.00%

          Execution Graph

          Execution Coverage:35.4%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:6.1%
          Total number of Nodes:49
          Total number of Limit Nodes:2
          execution_graph 2192 11e0448 2193 11e044e 2192->2193 2194 11e0452 2193->2194 2196 11e1bc2 2193->2196 2200 11e2310 2196->2200 2204 11e2301 2196->2204 2197 11e1bdb 2197->2194 2201 11e231c 2200->2201 2202 11e2326 2201->2202 2208 11e3187 2201->2208 2202->2197 2205 11e2310 2204->2205 2206 11e2326 2205->2206 2207 11e3187 12 API calls 2205->2207 2206->2197 2207->2205 2209 11e31a0 2208->2209 2237 11e3c74 2209->2237 2241 11e3c80 2209->2241 2210 11e3222 2217 11e352a 2210->2217 2219 11e416e ReadProcessMemory 2210->2219 2220 11e4170 ReadProcessMemory 2210->2220 2211 11e3597 2235 11e443e ResumeThread 2211->2235 2236 11e4440 ResumeThread 2211->2236 2212 11e35bf 2212->2201 2213 11e3308 2221 11e4258 VirtualAllocEx 2213->2221 2222 11e4260 VirtualAllocEx 2213->2222 2214 11e3388 2214->2217 2229 11e4308 WriteProcessMemory 2214->2229 2230 11e4300 WriteProcessMemory 2214->2230 2215 11e33f3 2216 11e34e9 2215->2216 2225 11e4308 WriteProcessMemory 2215->2225 2226 11e4300 WriteProcessMemory 2215->2226 2227 11e4308 WriteProcessMemory 2216->2227 2228 11e4300 WriteProcessMemory 2216->2228 2218 11e3567 2217->2218 2223 11e40ae SetThreadContext 2217->2223 2224 11e40b0 SetThreadContext 2217->2224 2218->2211 2233 11e40ae SetThreadContext 2218->2233 2234 11e40b0 SetThreadContext 2218->2234 2219->2213 2220->2213 2221->2214 2222->2214 2223->2218 2224->2218 2225->2215 2226->2215 2227->2217 2228->2217 2229->2215 2230->2215 2233->2211 2234->2211 2235->2212 2236->2212 2239 11e3d0d CreateProcessAsUserA 2237->2239 2240 11e3f25 2239->2240 2243 11e3d0d CreateProcessAsUserA 2241->2243 2244 11e3f25 2243->2244 2245 11e0287 2246 11e02a5 2245->2246 2247 11e0452 2246->2247 2248 11e1bc2 12 API calls 2246->2248 2248->2247

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 91 11e3c80-11e3d19 93 11e3d6d-11e3d8d 91->93 94 11e3d1b-11e3d40 91->94 98 11e3d8f-11e3db4 93->98 99 11e3de1-11e3e12 93->99 94->93 97 11e3d42-11e3d44 94->97 100 11e3d46-11e3d50 97->100 101 11e3d67-11e3d6a 97->101 98->99 109 11e3db6-11e3db8 98->109 107 11e3e69-11e3f23 CreateProcessAsUserA 99->107 108 11e3e14-11e3e3c 99->108 102 11e3d54-11e3d63 100->102 103 11e3d52 100->103 101->93 102->102 106 11e3d65 102->106 103->102 106->101 121 11e3f2c-11e3fa0 107->121 122 11e3f25-11e3f2b 107->122 108->107 117 11e3e3e-11e3e40 108->117 110 11e3dba-11e3dc4 109->110 111 11e3ddb-11e3dde 109->111 114 11e3dc8-11e3dd7 110->114 115 11e3dc6 110->115 111->99 114->114 116 11e3dd9 114->116 115->114 116->111 119 11e3e42-11e3e4c 117->119 120 11e3e63-11e3e66 117->120 123 11e3e4e 119->123 124 11e3e50-11e3e5f 119->124 120->107 133 11e3fa2-11e3fa6 121->133 134 11e3fb0-11e3fb4 121->134 122->121 123->124 124->124 125 11e3e61 124->125 125->120 133->134 135 11e3fa8 133->135 136 11e3fb6-11e3fba 134->136 137 11e3fc4-11e3fc8 134->137 135->134 136->137 138 11e3fbc 136->138 139 11e3fca-11e3fce 137->139 140 11e3fd8-11e3fdc 137->140 138->137 139->140 141 11e3fd0 139->141 142 11e3fee-11e3ff5 140->142 143 11e3fde-11e3fe4 140->143 141->140 144 11e400c 142->144 145 11e3ff7-11e4006 142->145 143->142 147 11e400d 144->147 145->144 147->147
          APIs
          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 011E3F10
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: CreateProcessUser
          • String ID:
          • API String ID: 2217836671-0
          • Opcode ID: da0381ba3e852c9e0bcde88a4ac3390fd0b386aca214b0b43bd889904191b751
          • Instruction ID: 8cb420e8af5c55f4ad791a0024fc2be0fd8797a26c7c702733c114064e82fa81
          • Opcode Fuzzy Hash: da0381ba3e852c9e0bcde88a4ac3390fd0b386aca214b0b43bd889904191b751
          • Instruction Fuzzy Hash: F7A17A71E106199FDB28CFA8C9457DDBBF2FF48304F048169E869A7280DB759985CF82
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 34 11e3c74-11e3d19 36 11e3d6d-11e3d8d 34->36 37 11e3d1b-11e3d40 34->37 41 11e3d8f-11e3db4 36->41 42 11e3de1-11e3e12 36->42 37->36 40 11e3d42-11e3d44 37->40 43 11e3d46-11e3d50 40->43 44 11e3d67-11e3d6a 40->44 41->42 52 11e3db6-11e3db8 41->52 50 11e3e69-11e3f23 CreateProcessAsUserA 42->50 51 11e3e14-11e3e3c 42->51 45 11e3d54-11e3d63 43->45 46 11e3d52 43->46 44->36 45->45 49 11e3d65 45->49 46->45 49->44 64 11e3f2c-11e3fa0 50->64 65 11e3f25-11e3f2b 50->65 51->50 60 11e3e3e-11e3e40 51->60 53 11e3dba-11e3dc4 52->53 54 11e3ddb-11e3dde 52->54 57 11e3dc8-11e3dd7 53->57 58 11e3dc6 53->58 54->42 57->57 59 11e3dd9 57->59 58->57 59->54 62 11e3e42-11e3e4c 60->62 63 11e3e63-11e3e66 60->63 66 11e3e4e 62->66 67 11e3e50-11e3e5f 62->67 63->50 76 11e3fa2-11e3fa6 64->76 77 11e3fb0-11e3fb4 64->77 65->64 66->67 67->67 68 11e3e61 67->68 68->63 76->77 78 11e3fa8 76->78 79 11e3fb6-11e3fba 77->79 80 11e3fc4-11e3fc8 77->80 78->77 79->80 81 11e3fbc 79->81 82 11e3fca-11e3fce 80->82 83 11e3fd8-11e3fdc 80->83 81->80 82->83 84 11e3fd0 82->84 85 11e3fee-11e3ff5 83->85 86 11e3fde-11e3fe4 83->86 84->83 87 11e400c 85->87 88 11e3ff7-11e4006 85->88 86->85 90 11e400d 87->90 88->87 90->90
          APIs
          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 011E3F10
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: CreateProcessUser
          • String ID:
          • API String ID: 2217836671-0
          • Opcode ID: b9f6bdc3e4bf8a60e785aec4b526175d531a25f2ced652b94ddb9bec37e08291
          • Instruction ID: d826b2592dd8c5dad1f10a08bb8a197aa8df8c56f19da81d18e2de5dd33ff103
          • Opcode Fuzzy Hash: b9f6bdc3e4bf8a60e785aec4b526175d531a25f2ced652b94ddb9bec37e08291
          • Instruction Fuzzy Hash: 03A17A71E106199FDB18CFA8C9457DDBBF2FF48304F048169E869A7280DB759985CF82
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 312 11e4308-11e4359 314 11e435b-11e4367 312->314 315 11e4369-11e43a2 WriteProcessMemory 312->315 314->315 316 11e43ab-11e43cc 315->316 317 11e43a4-11e43aa 315->317 317->316
          APIs
          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011E4395
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessWrite
          • String ID:
          • API String ID: 3559483778-0
          • Opcode ID: 8e8ece0db4b57605c649e651c224a7ce7a95dee1d25960c032286c859ad89c6a
          • Instruction ID: 0b9818b9024fd831070b088fd31e2943ba88b9e3a51ac73c06737e1e63f7bda3
          • Opcode Fuzzy Hash: 8e8ece0db4b57605c649e651c224a7ce7a95dee1d25960c032286c859ad89c6a
          • Instruction Fuzzy Hash: 522103B1900359DFDB14CF9AD988BDEBBF4FB48314F00842AE918E3640D374A940CBA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 305 11e4300-11e4359 307 11e435b-11e4367 305->307 308 11e4369-11e43a2 WriteProcessMemory 305->308 307->308 309 11e43ab-11e43cc 308->309 310 11e43a4-11e43aa 308->310 310->309
          APIs
          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011E4395
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessWrite
          • String ID:
          • API String ID: 3559483778-0
          • Opcode ID: 954de73b7dee896adec96222d79646f2a6e43a95192db2aca55fbb5fc691be14
          • Instruction ID: 3165b5fe967ddd330ec547a4b54f923e7bbb013fa1882aed1cf15c4fc7b37515
          • Opcode Fuzzy Hash: 954de73b7dee896adec96222d79646f2a6e43a95192db2aca55fbb5fc691be14
          • Instruction Fuzzy Hash: 472103B5900259DFDB14CF99D989BDEBBF4FF48324F04842AE958E3640D374A940CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 319 11e40b0-11e40fc 321 11e40fe-11e4106 319->321 322 11e4108-11e4134 SetThreadContext 319->322 321->322 323 11e413d-11e415e 322->323 324 11e4136-11e413c 322->324 324->323
          APIs
          • SetThreadContext.KERNELBASE(?,00000000), ref: 011E4127
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: ContextThread
          • String ID:
          • API String ID: 1591575202-0
          • Opcode ID: 997b4517e7f17b6790300911e63e0070e84306efc43759e683ae1df275b5a155
          • Instruction ID: c4283116ba85e55be2e7117fff411b1c22ed2fb2d46c4de6d7a9b20cbbb9cccb
          • Opcode Fuzzy Hash: 997b4517e7f17b6790300911e63e0070e84306efc43759e683ae1df275b5a155
          • Instruction Fuzzy Hash: 4C2138B1E006199FDB14CF9AD944BDEFBF4BB48224F04812AD518F3740D774A9448FA1
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 326 11e40ae-11e40fc 328 11e40fe-11e4106 326->328 329 11e4108-11e4134 SetThreadContext 326->329 328->329 330 11e413d-11e415e 329->330 331 11e4136-11e413c 329->331 331->330
          APIs
          • SetThreadContext.KERNELBASE(?,00000000), ref: 011E4127
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: ContextThread
          • String ID:
          • API String ID: 1591575202-0
          • Opcode ID: 8be2e0997ccb3e416045a8121893df64ea67c33c8341aafab1b18339a37f69dd
          • Instruction ID: b141520a525ffc512fe684a3994ac84b820c885d8d61b4da60b6b893d60bf239
          • Opcode Fuzzy Hash: 8be2e0997ccb3e416045a8121893df64ea67c33c8341aafab1b18339a37f69dd
          • Instruction Fuzzy Hash: 381117B1E006199FDB14CF9AD9857EEFBF4BB48224F04812AD518F3740D778A9458FA1
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 333 11e4170-11e41f3 ReadProcessMemory 335 11e41fc-11e421d 333->335 336 11e41f5-11e41fb 333->336 336->335
          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011E41E6
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: cfb030c16bfd102826861259ed7a1f855c9e035eceea68e5f0576d213d5da69d
          • Instruction ID: a78415b571a74434af705aa2e1d16c55f44da9be6d189a964e35281740b62c36
          • Opcode Fuzzy Hash: cfb030c16bfd102826861259ed7a1f855c9e035eceea68e5f0576d213d5da69d
          • Instruction Fuzzy Hash: A32103B5900649DFDB10CF9AD984BDEFBF4FB48320F148029E958A3650D378AA45CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 338 11e416e-11e41f3 ReadProcessMemory 340 11e41fc-11e421d 338->340 341 11e41f5-11e41fb 338->341 341->340
          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011E41E6
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: 39c7754cd8d55d555fe3c80462e5fad0e99a0cd1a9108a0f774bfd3da1750f1e
          • Instruction ID: 9ad20d804761044c028a188995058179d1a4ce5070ef6c60872dd581a8e4c9f5
          • Opcode Fuzzy Hash: 39c7754cd8d55d555fe3c80462e5fad0e99a0cd1a9108a0f774bfd3da1750f1e
          • Instruction Fuzzy Hash: D32106B5900649DFDB10CF9AD984BDEBBF4FF48320F148429E558A3650D338A645CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 343 11e4258-11e42d8 VirtualAllocEx 345 11e42da-11e42e0 343->345 346 11e42e1-11e42f5 343->346 345->346
          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 011E42CB
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 2af538edff57183ce4c34e0fc8cb6b9389b40b26623e25cd5605799e8f1f32ba
          • Instruction ID: 9b19bf799035926f28febf42a612af09923886e6c8be4dba3dc856715e1593fc
          • Opcode Fuzzy Hash: 2af538edff57183ce4c34e0fc8cb6b9389b40b26623e25cd5605799e8f1f32ba
          • Instruction Fuzzy Hash: 731104B5900649DFDB21CF99D988BDEBBF4FB48324F148419E618B7650C335A940CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 348 11e4260-11e42d8 VirtualAllocEx 350 11e42da-11e42e0 348->350 351 11e42e1-11e42f5 348->351 350->351
          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 011E42CB
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: bf699fec224e48138271b0ac26539da3a2c3703efe432004c9641721d6d03dab
          • Instruction ID: ad8bef1cedf7677812901b8a4d52ba95bf9b3bd11296da07863ded02e4bbbd97
          • Opcode Fuzzy Hash: bf699fec224e48138271b0ac26539da3a2c3703efe432004c9641721d6d03dab
          • Instruction Fuzzy Hash: 0011E3B5900649DFDB20CF9AD988BDEBBF4EB88324F148419E528A7610C375A944CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 353 11e4440-11e44ac ResumeThread 355 11e44ae-11e44b4 353->355 356 11e44b5-11e44c9 353->356 355->356
          APIs
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: ResumeThread
          • String ID:
          • API String ID: 947044025-0
          • Opcode ID: 65da1f56fb925562122f3f0e80d3fd5cecddac1f65ec5ec07072cf08b88caeb4
          • Instruction ID: 6d7eb7a810a43027d41789fd1aeb39e4b123dcc662945e45720f23cd32adb53f
          • Opcode Fuzzy Hash: 65da1f56fb925562122f3f0e80d3fd5cecddac1f65ec5ec07072cf08b88caeb4
          • Instruction Fuzzy Hash: 201112B19007488FDB20CF9AD588BDEFBF8EB88324F10841AD519A3700C374A944CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 358 11e443e-11e44ac ResumeThread 360 11e44ae-11e44b4 358->360 361 11e44b5-11e44c9 358->361 360->361
          APIs
          Memory Dump Source
          • Source File: 00000009.00000002.359851102.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_11e0000_msdtc.jbxd
          Similarity
          • API ID: ResumeThread
          • String ID:
          • API String ID: 947044025-0
          • Opcode ID: 3e2d25a7779e6ee4e4755ff1665808b0c7e1410ecec6a0e4572ffbc68fbfe701
          • Instruction ID: 0cd8211eb7ddcb1d31d007aa211240b99f9f33192b9e9701c8192dda0aa8eeee
          • Opcode Fuzzy Hash: 3e2d25a7779e6ee4e4755ff1665808b0c7e1410ecec6a0e4572ffbc68fbfe701
          • Instruction Fuzzy Hash: E91112B5900608CFDB20CF99D588BDEFBF4AB48324F14841AD519B3700C378A944CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000009.00000002.359539324.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_118d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: de64d8e124a11b77d173f3cb8f28397bfd39c6d2bd3be40e1b60e7ad6bc12305
          • Instruction ID: b0e33bdf8b2a29fa50217a007086f60eb3cc36a97c73738f2133f815f63da875
          • Opcode Fuzzy Hash: de64d8e124a11b77d173f3cb8f28397bfd39c6d2bd3be40e1b60e7ad6bc12305
          • Instruction Fuzzy Hash: 9E21E2B1504340DFDF09EF54E9C0B26BB75FB88228F24C56AE9094A286C336D855CAA2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000009.00000002.359539324.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_118d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 32566833d28d329d5d93800e9c509e0c0d76523c77f1a3c8adeb42e76f9c85f2
          • Instruction ID: 77708d729c58f7082b05fbae25077d8fc2ca9e107cc4f1ccd9e23535c35b9ca4
          • Opcode Fuzzy Hash: 32566833d28d329d5d93800e9c509e0c0d76523c77f1a3c8adeb42e76f9c85f2
          • Instruction Fuzzy Hash: EA2136B1504300DFDF09EF58E9C0F66BB65FB88324F24C568E9090B687C336E805CAA2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000009.00000002.359539324.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_118d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction ID: 07cfc67aec2fbb1c3eca5acf3cb7320c5e9f54f942c5b3fd0fe2fb1e99013dae
          • Opcode Fuzzy Hash: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction Fuzzy Hash: 8011AF76404280DFDF16DF54E9C4B16BF71FB84324F24C6AAD8054B656C336D456CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000009.00000002.359539324.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_9_2_118d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction ID: 5af8d6d93e9d66809f4014743b548e8aecaecb6c7bb4288c8c465389cdce5a2e
          • Opcode Fuzzy Hash: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction Fuzzy Hash: 6711AF76404280DFDF16DF58E9C4B56BF71FB84324F24C6A9D8090B656C336E45ACBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Execution Graph

          Execution Coverage:26.7%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:0%
          Total number of Nodes:8
          Total number of Limit Nodes:0
          execution_graph 1597 2602560 1598 26025ae NtProtectVirtualMemory 1597->1598 1600 26025f8 1598->1600 1601 2602109 1603 26020e2 1601->1603 1602 26020e4 1603->1602 1604 26025c7 NtProtectVirtualMemory 1603->1604 1605 26025f8 1604->1605

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 2602109-2602115 1 26020e2 0->1 2 2602117-260214c 0->2 1->2 3 26020e4-26020eb 1->3 4 2602158-260215b 2->4 5 260214e-2602150 2->5 6 26024c6-26024f5 4->6 8 2602161-2602184 4->8 5->6 7 2602156 5->7 24 26024fc-2602500 6->24 7->8 11 2602190-2602193 8->11 12 2602186-2602188 8->12 11->6 15 2602199-26021bf 11->15 12->6 14 260218e 12->14 14->15 18 26021c1-26021c5 15->18 19 26021cd-26021d1 15->19 18->6 20 26021cb 18->20 19->6 21 26021d7-26021e5 19->21 20->21 25 26021f4-26021fc 21->25 26 26021e7-26021f2 21->26 27 2602502-260250c 24->27 28 260250d-26025f6 NtProtectVirtualMemory 24->28 29 26021ff-2602201 25->29 26->29 57 26025f8-26025fe 28->57 58 26025ff-2602624 28->58 31 2602203-2602205 29->31 32 260220d-2602210 29->32 31->6 33 260220b 31->33 32->6 34 2602216-2602239 32->34 33->34 38 2602245-2602248 34->38 39 260223b-260223d 34->39 38->6 40 260224e-2602272 38->40 39->6 41 2602243 39->41 44 2602274-2602276 40->44 45 260227e-2602281 40->45 41->40 44->6 47 260227c 44->47 45->6 48 2602287-26022a8 45->48 47->48 52 26022b4-26022b7 48->52 53 26022aa-26022ac 48->53 52->6 56 26022bd-26022e1 52->56 53->6 55 26022b2 53->55 55->56 60 26022e3-26022e5 56->60 61 26022ed-26022f0 56->61 57->58 60->6 64 26022eb 60->64 61->6 65 26022f6-260231a 61->65 64->65 68 2602326-2602329 65->68 69 260231c-260231e 65->69 68->6 71 260232f-2602353 68->71 69->6 70 2602324 69->70 70->71 73 2602355-2602357 71->73 74 260235f-2602362 71->74 73->6 75 260235d 73->75 74->6 76 2602368-260237b 74->76 75->76 76->24 78 2602381-26023b0 76->78 79 26023b2-26023b4 78->79 80 26023bc-26023bf 78->80 79->6 81 26023ba 79->81 80->6 82 26023c5-26023dd 80->82 81->82 84 26023e9-26023ec 82->84 85 26023df-26023e1 82->85 84->6 87 26023f2-2602409 84->87 85->6 86 26023e7 85->86 86->87 90 26024b5-26024be 87->90 91 260240f-2602432 87->91 90->78 94 26024c4 90->94 92 2602434-2602436 91->92 93 260243e-2602441 91->93 92->6 95 260243c 92->95 93->6 96 2602447-2602477 93->96 94->24 95->96 98 2602479-260247b 96->98 99 260247f-2602482 96->99 98->6 100 260247d 98->100 99->6 101 2602484-26024a1 99->101 100->101 103 26024a3-26024a5 101->103 104 26024a9-26024ac 101->104 103->6 106 26024a7 103->106 104->6 105 26024ae-26024b3 104->105 105->24 106->105
          APIs
          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 026025E9
          Strings
          Memory Dump Source
          • Source File: 0000000A.00000002.369182657.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_10_2_2600000_RegAsm.jbxd
          Similarity
          • API ID: MemoryProtectVirtual
          • String ID: ]
          • API String ID: 2706961497-3352871620
          • Opcode ID: 2f3ea6626c6b87c2c9cfb3373cba623e17fae287b24b8c8e4e6f6fe803bb68a3
          • Instruction ID: 905316036f55143ea221637d93fb03fb8613fe0e5b0836ba8f67dd0024c5c197
          • Opcode Fuzzy Hash: 2f3ea6626c6b87c2c9cfb3373cba623e17fae287b24b8c8e4e6f6fe803bb68a3
          • Instruction Fuzzy Hash: EDE19131F0020447DB5CCABDCCE43AF72A7AFC8624F298629DA15DB7C5EB349805A755
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 145 2602560-26025f6 NtProtectVirtualMemory 148 26025f8-26025fe 145->148 149 26025ff-2602624 145->149 148->149
          APIs
          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 026025E9
          Memory Dump Source
          • Source File: 0000000A.00000002.369182657.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_10_2_2600000_RegAsm.jbxd
          Similarity
          • API ID: MemoryProtectVirtual
          • String ID:
          • API String ID: 2706961497-0
          • Opcode ID: 424668f589e301961b73dfede4f6d816bd9da54912c6c198eedc07af2e996dd8
          • Instruction ID: 2c7fb1df94d13e34661d9535ac43e10022772ea23d0253306bb635b6dbc1c5c3
          • Opcode Fuzzy Hash: 424668f589e301961b73dfede4f6d816bd9da54912c6c198eedc07af2e996dd8
          • Instruction Fuzzy Hash: 7B2100B1D002099FCB10CFAAD984ADEFBF5FF48314F50842AE919A7340C775A904CBA5
          Uniqueness

          Uniqueness Score: -1.00%

          Execution Graph

          Execution Coverage:36.2%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:0%
          Total number of Nodes:64
          Total number of Limit Nodes:2
          execution_graph 2309 1073810 2310 1073d24 CreateProcessAsUserA 2309->2310 2311 1073816 2310->2311 2315 107028d 2317 10702bd 2315->2317 2316 10703b2 2317->2316 2318 1071bc2 14 API calls 2317->2318 2318->2316 2243 1070448 2244 107044e 2243->2244 2245 1070452 2244->2245 2247 1071bc2 2244->2247 2251 1072301 2247->2251 2255 1072310 2247->2255 2248 1071bdb 2248->2245 2253 1072310 2251->2253 2252 1072326 2252->2248 2253->2252 2259 1073187 2253->2259 2256 107231c 2255->2256 2257 1072326 2256->2257 2258 1073187 14 API calls 2256->2258 2257->2248 2258->2256 2260 10731a0 2259->2260 2293 1073d24 2260->2293 2297 1073d54 2260->2297 2301 1073c80 2260->2301 2305 107386c 2260->2305 2261 1073222 2269 107352a 2261->2269 2291 1074170 ReadProcessMemory 2261->2291 2292 107416e ReadProcessMemory 2261->2292 2262 1073597 2289 1074440 ResumeThread 2262->2289 2290 107443e ResumeThread 2262->2290 2263 10735bf 2263->2253 2264 1073308 2271 1074260 VirtualAllocEx 2264->2271 2272 1074258 VirtualAllocEx 2264->2272 2265 1073388 2266 10733ca 2265->2266 2287 1074260 VirtualAllocEx 2265->2287 2288 1074258 VirtualAllocEx 2265->2288 2266->2269 2279 1074300 WriteProcessMemory 2266->2279 2280 1074308 WriteProcessMemory 2266->2280 2267 10733f3 2268 10734e9 2267->2268 2275 1074300 WriteProcessMemory 2267->2275 2276 1074308 WriteProcessMemory 2267->2276 2277 1074300 WriteProcessMemory 2268->2277 2278 1074308 WriteProcessMemory 2268->2278 2270 1073567 2269->2270 2273 10740b0 SetThreadContext 2269->2273 2274 10740ae SetThreadContext 2269->2274 2270->2262 2285 10740b0 SetThreadContext 2270->2285 2286 10740ae SetThreadContext 2270->2286 2271->2265 2272->2265 2273->2270 2274->2270 2275->2267 2276->2267 2277->2269 2278->2269 2279->2267 2280->2267 2285->2262 2286->2262 2287->2266 2288->2266 2289->2263 2290->2263 2291->2264 2292->2264 2295 1073d31 2293->2295 2294 1073eac CreateProcessAsUserA 2296 1073f25 2294->2296 2295->2294 2295->2295 2296->2296 2297->2297 2299 1073d65 2297->2299 2298 1073eac CreateProcessAsUserA 2300 1073f25 2298->2300 2299->2298 2299->2299 2300->2300 2303 1073d0d 2301->2303 2302 1073eac CreateProcessAsUserA 2304 1073f25 2302->2304 2303->2302 2303->2303 2306 1073875 CreateProcessAsUserA 2305->2306 2308 1073f25 2306->2308 2308->2308

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 107386c-1073d19 19 1073d6d-1073d8d 0->19 20 1073d1b-1073d40 0->20 24 1073de1-1073e12 19->24 25 1073d8f-1073db4 19->25 20->19 23 1073d42-1073d44 20->23 26 1073d67-1073d6a 23->26 27 1073d46-1073d50 23->27 34 1073e14-1073e3c 24->34 35 1073e69-1073f23 CreateProcessAsUserA 24->35 25->24 33 1073db6-1073db8 25->33 26->19 28 1073d54-1073d63 27->28 29 1073d52 27->29 28->28 31 1073d65 28->31 29->28 31->26 36 1073ddb-1073dde 33->36 37 1073dba-1073dc4 33->37 34->35 42 1073e3e-1073e40 34->42 49 1073f25-1073f2b 35->49 50 1073f2c-1073fa0 35->50 36->24 39 1073dc6 37->39 40 1073dc8-1073dd7 37->40 39->40 40->40 43 1073dd9 40->43 44 1073e63-1073e66 42->44 45 1073e42-1073e4c 42->45 43->36 44->35 47 1073e50-1073e5f 45->47 48 1073e4e 45->48 47->47 51 1073e61 47->51 48->47 49->50 59 1073fa2-1073fa6 50->59 60 1073fb0-1073fb4 50->60 51->44 59->60 63 1073fa8 59->63 61 1073fb6-1073fba 60->61 62 1073fc4-1073fc8 60->62 61->62 64 1073fbc 61->64 65 1073fca-1073fce 62->65 66 1073fd8-1073fdc 62->66 63->60 64->62 65->66 67 1073fd0 65->67 68 1073fee-1073ff5 66->68 69 1073fde-1073fe4 66->69 67->66 70 1073ff7-1074006 68->70 71 107400c 68->71 69->68 70->71 72 107400d 71->72 72->72
          APIs
          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 01073F10
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: CreateProcessUser
          • String ID:
          • API String ID: 2217836671-0
          • Opcode ID: e63c180191bc0ca8af861cb69d02b9328311fabc1307497ebcc1709957a54eb2
          • Instruction ID: a42956452a36b805e79ff11f725c6be599dab23edba46b47be0d3b679afd6867
          • Opcode Fuzzy Hash: e63c180191bc0ca8af861cb69d02b9328311fabc1307497ebcc1709957a54eb2
          • Instruction Fuzzy Hash: 5DC1CF31E042189FEB11DF68D891BDDBBF2FF49314F0484A6D488EB292DB349985CB95
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 74 1073d24-1073d40 76 1073d42-1073d44 74->76 77 1073d6d-1073d8d 74->77 78 1073d67-1073d6a 76->78 79 1073d46-1073d50 76->79 83 1073de1-1073e12 77->83 84 1073d8f-1073db4 77->84 78->77 81 1073d54-1073d63 79->81 82 1073d52 79->82 81->81 85 1073d65 81->85 82->81 89 1073e14-1073e3c 83->89 90 1073e69-1073f23 CreateProcessAsUserA 83->90 84->83 88 1073db6-1073db8 84->88 85->78 91 1073ddb-1073dde 88->91 92 1073dba-1073dc4 88->92 89->90 97 1073e3e-1073e40 89->97 104 1073f25-1073f2b 90->104 105 1073f2c-1073fa0 90->105 91->83 94 1073dc6 92->94 95 1073dc8-1073dd7 92->95 94->95 95->95 98 1073dd9 95->98 99 1073e63-1073e66 97->99 100 1073e42-1073e4c 97->100 98->91 99->90 102 1073e50-1073e5f 100->102 103 1073e4e 100->103 102->102 106 1073e61 102->106 103->102 104->105 114 1073fa2-1073fa6 105->114 115 1073fb0-1073fb4 105->115 106->99 114->115 118 1073fa8 114->118 116 1073fb6-1073fba 115->116 117 1073fc4-1073fc8 115->117 116->117 119 1073fbc 116->119 120 1073fca-1073fce 117->120 121 1073fd8-1073fdc 117->121 118->115 119->117 120->121 122 1073fd0 120->122 123 1073fee-1073ff5 121->123 124 1073fde-1073fe4 121->124 122->121 125 1073ff7-1074006 123->125 126 107400c 123->126 124->123 125->126 127 107400d 126->127 127->127
          APIs
          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 01073F10
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: CreateProcessUser
          • String ID:
          • API String ID: 2217836671-0
          • Opcode ID: 72e5947d44802d522239d7158eb47118f587af2939851f21c9bf0968f6b21732
          • Instruction ID: 4900faa5dd7e4fea366210ebb2950bd28bc8ff850c5d664bfc26483fd975bad4
          • Opcode Fuzzy Hash: 72e5947d44802d522239d7158eb47118f587af2939851f21c9bf0968f6b21732
          • Instruction Fuzzy Hash: 51816A31E00219DFEB11DF68D8817DDBBB2FF48304F0481A9E898AB291D7759985DF85
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 129 1073d54-1073d63 129->129 130 1073d65-1073d8d 129->130 134 1073de1-1073e12 130->134 135 1073d8f-1073db4 130->135 139 1073e14-1073e3c 134->139 140 1073e69-1073ea4 134->140 135->134 138 1073db6-1073db8 135->138 141 1073ddb-1073dde 138->141 142 1073dba-1073dc4 138->142 139->140 147 1073e3e-1073e40 139->147 151 1073eac-1073f23 CreateProcessAsUserA 140->151 141->134 144 1073dc6 142->144 145 1073dc8-1073dd7 142->145 144->145 145->145 148 1073dd9 145->148 149 1073e63-1073e66 147->149 150 1073e42-1073e4c 147->150 148->141 149->140 152 1073e50-1073e5f 150->152 153 1073e4e 150->153 154 1073f25-1073f2b 151->154 155 1073f2c-1073fa0 151->155 152->152 156 1073e61 152->156 153->152 154->155 164 1073fa2-1073fa6 155->164 165 1073fb0-1073fb4 155->165 156->149 164->165 168 1073fa8 164->168 166 1073fb6-1073fba 165->166 167 1073fc4-1073fc8 165->167 166->167 169 1073fbc 166->169 170 1073fca-1073fce 167->170 171 1073fd8-1073fdc 167->171 168->165 169->167 170->171 172 1073fd0 170->172 173 1073fee-1073ff5 171->173 174 1073fde-1073fe4 171->174 172->171 175 1073ff7-1074006 173->175 176 107400c 173->176 174->173 175->176 177 107400d 176->177 177->177
          APIs
          • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 01073F10
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: CreateProcessUser
          • String ID:
          • API String ID: 2217836671-0
          • Opcode ID: 81006f3ebadb33529739d0214bbfe1867095e750aaa38c134ec58a9fa6751608
          • Instruction ID: 414ecd92d40d32a599e7bf0750b3a3b4579ce629a2266f7750f24624a7cd6ca1
          • Opcode Fuzzy Hash: 81006f3ebadb33529739d0214bbfe1867095e750aaa38c134ec58a9fa6751608
          • Instruction Fuzzy Hash: 62716B30E00219DFEB11DFA8D9417EDBBB2FF48304F0481A9E898AB291D7759985DF85
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 251 1074300-1074359 254 107435b-1074367 251->254 255 1074369-10743a2 WriteProcessMemory 251->255 254->255 256 10743a4-10743aa 255->256 257 10743ab-10743cc 255->257 256->257
          APIs
          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01074395
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessWrite
          • String ID:
          • API String ID: 3559483778-0
          • Opcode ID: b44ef89175a8d284593aaeb1feb1a2eea24b02905f37ea5ddf5a1abf260fe39b
          • Instruction ID: 5c45d1d7e220ee169e5b80fa65143740476f60a33ef44194b6d3622991e59d2d
          • Opcode Fuzzy Hash: b44ef89175a8d284593aaeb1feb1a2eea24b02905f37ea5ddf5a1abf260fe39b
          • Instruction Fuzzy Hash: 302103B1900249DFDB10DF9AD985BDEBBF4FB48324F00842AE958E3340D378A940CBA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 259 1074308-1074359 261 107435b-1074367 259->261 262 1074369-10743a2 WriteProcessMemory 259->262 261->262 263 10743a4-10743aa 262->263 264 10743ab-10743cc 262->264 263->264
          APIs
          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01074395
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessWrite
          • String ID:
          • API String ID: 3559483778-0
          • Opcode ID: 2190ae9d4fd38b119074219c111597affcd83394a899ac53b63be494afe257a8
          • Instruction ID: 6deb722286dda57517ea039f3802d435280b529e6b4077e5090f02a3a844036f
          • Opcode Fuzzy Hash: 2190ae9d4fd38b119074219c111597affcd83394a899ac53b63be494afe257a8
          • Instruction Fuzzy Hash: 1621E3B1900259DFDB10CF9AD885BDEBBF4FB48314F00842AE958E3340D774A944CBA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 266 10740b0-10740fc 268 10740fe-1074106 266->268 269 1074108-1074134 SetThreadContext 266->269 268->269 270 1074136-107413c 269->270 271 107413d-107415e 269->271 270->271
          APIs
          • SetThreadContext.KERNELBASE(?,00000000), ref: 01074127
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: ContextThread
          • String ID:
          • API String ID: 1591575202-0
          • Opcode ID: 99aae7bfbc4c87f124c2f38e915f288cf3ee2428685b64410f3506e22d2c93ee
          • Instruction ID: a09d6cc42e7ed79f6d50d696045e0301ce9ddf8d79b8b0e20d7c8828fe21f353
          • Opcode Fuzzy Hash: 99aae7bfbc4c87f124c2f38e915f288cf3ee2428685b64410f3506e22d2c93ee
          • Instruction Fuzzy Hash: 7F2136B1E002199FDB10DF9AD884BEEFBF4FB48224F04812AD518E3340D778A9448FA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 273 10740ae-10740fc 275 10740fe-1074106 273->275 276 1074108-1074134 SetThreadContext 273->276 275->276 277 1074136-107413c 276->277 278 107413d-107415e 276->278 277->278
          APIs
          • SetThreadContext.KERNELBASE(?,00000000), ref: 01074127
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: ContextThread
          • String ID:
          • API String ID: 1591575202-0
          • Opcode ID: 49acf5fc94477942bc80a461e427c80cbf03eefc302db7e7ba6a980f01febf4f
          • Instruction ID: e6fe4130705be71ff1eff4c4bc10c918f507561de66fd1fb5a9b7b3c51bb59ce
          • Opcode Fuzzy Hash: 49acf5fc94477942bc80a461e427c80cbf03eefc302db7e7ba6a980f01febf4f
          • Instruction Fuzzy Hash: D81147B1E002199FDB00DF9AD9857EEFBF4BB08224F04812AD518F3740D778A9448FA1
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 280 1074170-10741f3 ReadProcessMemory 282 10741f5-10741fb 280->282 283 10741fc-107421d 280->283 282->283
          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010741E6
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: 34032bd765089aa688b57ae2e56594e195894fea91dd8706db0a2693c9158dfb
          • Instruction ID: 050cc87e70815a2a9a8ee3abfa6a4d62c436af0d8bcec5a350dd29389ef32974
          • Opcode Fuzzy Hash: 34032bd765089aa688b57ae2e56594e195894fea91dd8706db0a2693c9158dfb
          • Instruction Fuzzy Hash: 0F2103B59002499FCB10DF9AD884BDEFBF4FB48320F148429E958A3250D378AA45CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 285 107416e-10741f3 ReadProcessMemory 287 10741f5-10741fb 285->287 288 10741fc-107421d 285->288 287->288
          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 010741E6
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: 2913d1502f709be8aba4b94ef18c6d17a72baa760b5e4fe4df886a26a1438656
          • Instruction ID: 6187c6f092afcb0e17b95b99c1b96a62610dfeb4bb19e932b07f8d7a182ad5a7
          • Opcode Fuzzy Hash: 2913d1502f709be8aba4b94ef18c6d17a72baa760b5e4fe4df886a26a1438656
          • Instruction Fuzzy Hash: 5B2103B5D00249DFCB10DF9AD984BDEBBF4FB48320F14842AE958A3250D338A645CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 290 1074258-10742d8 VirtualAllocEx 293 10742e1-10742f5 290->293 294 10742da-10742e0 290->294 294->293
          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010742CB
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 9e8eef7f5015eda9f0273f4f8b575f75eb35f07c2c626482619282fb66229f2b
          • Instruction ID: 34d18a61c5b993b02d092a6e2a0c8caad1d15eaf5552eff24c35b61fe104c3c4
          • Opcode Fuzzy Hash: 9e8eef7f5015eda9f0273f4f8b575f75eb35f07c2c626482619282fb66229f2b
          • Instruction Fuzzy Hash: 111113B69002489FCB10DF9AD888BDEBBF4FB48324F148419E669A7310D375A954CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 296 1074260-10742d8 VirtualAllocEx 298 10742e1-10742f5 296->298 299 10742da-10742e0 296->299 299->298
          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010742CB
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 1f56b9e03ad6b78e55aa0e3b615732df734b6aea5f4777e4582a63f3de0318be
          • Instruction ID: 2cd390e8c3efb38273eb292fe9927e9721744f2cd264375ceaff414a98b7002c
          • Opcode Fuzzy Hash: 1f56b9e03ad6b78e55aa0e3b615732df734b6aea5f4777e4582a63f3de0318be
          • Instruction Fuzzy Hash: 7B1113B59002489FCB10DF9AD888BDEBBF4EB48324F108419E568A7210C335A940CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 301 1074440-10744ac ResumeThread 303 10744b5-10744c9 301->303 304 10744ae-10744b4 301->304 304->303
          APIs
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: ResumeThread
          • String ID:
          • API String ID: 947044025-0
          • Opcode ID: f517a8ed96073a7b3b885282d4209b03eeea5ed8f1e99a9f372ee297a140610a
          • Instruction ID: 88a8128d6420860e88a84c8028c9a59ca5128022d2e1e9d58ed7047589febf8e
          • Opcode Fuzzy Hash: f517a8ed96073a7b3b885282d4209b03eeea5ed8f1e99a9f372ee297a140610a
          • Instruction Fuzzy Hash: 251112B19002088FCB20DF9AD888BDEFBF8EB88324F10845AD559A3300C775A944CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 306 107443e-10744ac ResumeThread 308 10744b5-10744c9 306->308 309 10744ae-10744b4 306->309 309->308
          APIs
          Memory Dump Source
          • Source File: 00000013.00000002.449353458.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1070000_msdtc.jbxd
          Similarity
          • API ID: ResumeThread
          • String ID:
          • API String ID: 947044025-0
          • Opcode ID: 6afb7b3e5aefdc033531eb3dcab8d2e88d14c1199789b0696e13f59933985c36
          • Instruction ID: 81b12fb1dc3dcff84c252c1420a2f270f674264ba463b896b00e5ec02d7741d0
          • Opcode Fuzzy Hash: 6afb7b3e5aefdc033531eb3dcab8d2e88d14c1199789b0696e13f59933985c36
          • Instruction Fuzzy Hash: C9111EB5D002088FCB20DF99D988BDEFBF4EB48324F14845AD659A3700C778A944CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000013.00000002.448960946.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_100d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 72040955f0b57e1054634c48e92ed9b449e795c8f3782ff27cf4cac68a45f279
          • Instruction ID: af01e623dcb690d01c4335c22143875bb43e66f8ab6e6b31c940919f4e5cf45a
          • Opcode Fuzzy Hash: 72040955f0b57e1054634c48e92ed9b449e795c8f3782ff27cf4cac68a45f279
          • Instruction Fuzzy Hash: 27214871504200DFEB02DF94D9C0F6ABBA5FB88324F25C5A8E9490B287C736E845C7B2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000013.00000002.448960946.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_100d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b7e7b9146d18034bb2de86ed010c5989d8a1bb3f54c9ec9c463f00fb472fff81
          • Instruction ID: d2afad6d4c522cf4563971271619b187e2144ef7a97a55be08972b99b963811f
          • Opcode Fuzzy Hash: b7e7b9146d18034bb2de86ed010c5989d8a1bb3f54c9ec9c463f00fb472fff81
          • Instruction Fuzzy Hash: 1721F4B1504240DFEB02DF94D9C0B2ABBA5FB88328F24C5A9E9494B286C336D855C7B1
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000013.00000002.448960946.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_100d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction ID: 566286b83333e2a50699d245e7932787e2ec1d932bc769a873b750ccf687959f
          • Opcode Fuzzy Hash: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction Fuzzy Hash: 7111A276404240CFDB12CF54D5C4B56BFB1FB84324F25C6A9D8450B656C336D456CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000013.00000002.448960946.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_100d000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction ID: 3e410f660debe80eb557bad2a8f3494ef21cb29bebc563c8c00ea6ce34ab1bac
          • Opcode Fuzzy Hash: 1f7ac2f4481a1f3a02653cb926aa5f3ae966e0cf86c06822d5ce43077063c11a
          • Instruction Fuzzy Hash: 7211B176404280DFDB12CF54D9C4B16BFB1FB88324F24C6A9DC450B656C336D456CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Execution Graph

          Execution Coverage:25.2%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:0%
          Total number of Nodes:8
          Total number of Limit Nodes:0
          execution_graph 2019 2532560 2020 25325ae NtProtectVirtualMemory 2019->2020 2022 25325f8 2020->2022 2023 2532109 2025 253214e 2023->2025 2024 2532502 2025->2024 2026 25325c7 NtProtectVirtualMemory 2025->2026 2027 25325f8 2026->2027

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 38 2532109-253214c 39 2532158-253215b 38->39 40 253214e-2532150 38->40 41 25324c6-25324f5 39->41 43 2532161-2532184 39->43 40->41 42 2532156 40->42 58 25324fc-2532500 41->58 42->43 46 2532190-2532193 43->46 47 2532186-2532188 43->47 46->41 50 2532199-25321bf 46->50 47->41 49 253218e 47->49 49->50 53 25321c1-25321c5 50->53 54 25321cd-25321d1 50->54 53->41 55 25321cb 53->55 54->41 56 25321d7-25321e5 54->56 55->56 62 25321e7-25321f2 56->62 63 25321f4-25321fc 56->63 60 2532502-253250c 58->60 61 253250d-25325f6 NtProtectVirtualMemory 58->61 87 25325f8-25325fe 61->87 88 25325ff-2532624 61->88 64 25321ff-2532201 62->64 63->64 66 2532203-2532205 64->66 67 253220d-2532210 64->67 66->41 68 253220b 66->68 67->41 69 2532216-2532239 67->69 68->69 72 2532245-2532248 69->72 73 253223b-253223d 69->73 72->41 76 253224e-2532272 72->76 73->41 75 2532243 73->75 75->76 79 2532274-2532276 76->79 80 253227e-2532281 76->80 79->41 82 253227c 79->82 80->41 83 2532287-25322a8 80->83 82->83 89 25322b4-25322b7 83->89 90 25322aa-25322ac 83->90 87->88 89->41 92 25322bd-25322e1 89->92 90->41 91 25322b2 90->91 91->92 96 25322e3-25322e5 92->96 97 25322ed-25322f0 92->97 96->41 99 25322eb 96->99 97->41 100 25322f6-253231a 97->100 99->100 102 2532326-2532329 100->102 103 253231c-253231e 100->103 102->41 105 253232f-2532353 102->105 103->41 104 2532324 103->104 104->105 107 2532355-2532357 105->107 108 253235f-2532362 105->108 107->41 110 253235d 107->110 108->41 109 2532368-253237b 108->109 109->58 112 2532381-25323b0 109->112 110->109 113 25323b2-25323b4 112->113 114 25323bc-25323bf 112->114 113->41 115 25323ba 113->115 114->41 116 25323c5-25323dd 114->116 115->116 118 25323e9-25323ec 116->118 119 25323df-25323e1 116->119 118->41 121 25323f2-2532409 118->121 119->41 120 25323e7 119->120 120->121 124 25324b5-25324be 121->124 125 253240f-2532432 121->125 124->112 128 25324c4 124->128 126 2532434-2532436 125->126 127 253243e-2532441 125->127 126->41 129 253243c 126->129 127->41 130 2532447-2532477 127->130 128->58 129->130 132 2532479-253247b 130->132 133 253247f-2532482 130->133 132->41 134 253247d 132->134 133->41 135 2532484-25324a1 133->135 134->135 137 25324a3-25324a5 135->137 138 25324a9-25324ac 135->138 137->41 139 25324a7 137->139 138->41 140 25324ae-25324b3 138->140 139->140 140->58
          APIs
          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 025325E9
          Memory Dump Source
          • Source File: 00000015.00000002.460082726.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_21_2_2530000_RegAsm.jbxd
          Similarity
          • API ID: MemoryProtectVirtual
          • String ID:
          • API String ID: 2706961497-0
          • Opcode ID: 1d42f207873c93c6d6c44459e5fb2b36797c106c7a0c98dbc261adbd9f8230ba
          • Instruction ID: 28eda075e6932123eeb2fa01d060df951658ade96bf376bf3714172e0ffd67a9
          • Opcode Fuzzy Hash: 1d42f207873c93c6d6c44459e5fb2b36797c106c7a0c98dbc261adbd9f8230ba
          • Instruction Fuzzy Hash: 64E1AB31F007158BDB15CAADCC903AE77A3BBC4224F199629EA19DB7C4EB34DD018799
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 141 2532560-25325f6 NtProtectVirtualMemory 144 25325f8-25325fe 141->144 145 25325ff-2532624 141->145 144->145
          APIs
          • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 025325E9
          Memory Dump Source
          • Source File: 00000015.00000002.460082726.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_21_2_2530000_RegAsm.jbxd
          Similarity
          • API ID: MemoryProtectVirtual
          • String ID:
          • API String ID: 2706961497-0
          • Opcode ID: d5f6678efe66d8b5bc445084ab9ec2d157cb4f593c1247ef1d7e2b98ec1450f9
          • Instruction ID: d765edba08b696f2b607d46b3910c5ec6614fce09edc9b7a3e5c20faae9aa7fc
          • Opcode Fuzzy Hash: d5f6678efe66d8b5bc445084ab9ec2d157cb4f593c1247ef1d7e2b98ec1450f9
          • Instruction Fuzzy Hash: 9D21E3B1D006499FCB10CFAAD984ADEFBF5FF48314F50842AE919A7240C7759A05CBA5
          Uniqueness

          Uniqueness Score: -1.00%

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 707 a4d3b4-a4d3c6 708 a4d3cc 707->708 709 a4d45a-a4d461 707->709 710 a4d3ce-a4d3da 708->710 709->710 711 a4d466-a4d46b 710->711 712 a4d3e0-a4d402 710->712 711->712 714 a4d404-a4d422 712->714 715 a4d470-a4d485 712->715 718 a4d42a-a4d43a 714->718 719 a4d43c-a4d444 715->719 718->719 720 a4d492 718->720 721 a4d446-a4d457 719->721 722 a4d487-a4d490 719->722 722->721
          Memory Dump Source
          • Source File: 00000015.00000002.458103776.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_21_2_a4d000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 553dc96cb80c6e2f39ab8c28cc44cfe0ecdba1abd7dcd8f95a18f61014c5cac7
          • Instruction ID: 834e00398adc1d2bc78c4f0fc85510133336dd0ef6cadc0414e712884532b7a5
          • Opcode Fuzzy Hash: 553dc96cb80c6e2f39ab8c28cc44cfe0ecdba1abd7dcd8f95a18f61014c5cac7
          • Instruction Fuzzy Hash: 1721F2B9604240EFDB05DF10D9C0F26BB75FBD8324F24C5A9E9094B246C336E856DBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000015.00000002.458103776.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_21_2_a4d000_RegAsm.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b1b1824f43b99516a3dc645dcebbfdd2397cc6bb7c6ab0d651b73c2d5db6fa2e
          • Instruction ID: b1075d56a184ac71c7b5423dbafbc42d20f8206bffe289277f24f4136097f044
          • Opcode Fuzzy Hash: b1b1824f43b99516a3dc645dcebbfdd2397cc6bb7c6ab0d651b73c2d5db6fa2e
          • Instruction Fuzzy Hash: B811E27A504280CFDF12CF10D9C4B16BF71FB94324F24C6A9D8490B656C33AE85ACBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: ]
          • API String ID: 0-3352871620
          • Opcode ID: dde3a5800c343ec668c4d5ffc09a002c1a6b7fd87da02066e782c9e10a2dfb02
          • Instruction ID: 9ef14795d348ad8f34e276a68fac6f04d75bbb0b1a839a222df021c340dd062f
          • Opcode Fuzzy Hash: dde3a5800c343ec668c4d5ffc09a002c1a6b7fd87da02066e782c9e10a2dfb02
          • Instruction Fuzzy Hash: 4ED1D536600514DFCB0ADF98C988D58BBB2FF4D318B1A8199E6099F272C772EC51DB51
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: 2
          • API String ID: 0-450215437
          • Opcode ID: 27275877db65cd5a8476f84f9e66746419f345a0ef07a508e29abaab89cf2b51
          • Instruction ID: 5627cb49b48b91020218d1e814dfd1dd799d73311cafa3f5e460e8bd0368f4e4
          • Opcode Fuzzy Hash: 27275877db65cd5a8476f84f9e66746419f345a0ef07a508e29abaab89cf2b51
          • Instruction Fuzzy Hash: AF515C70E0460EDFDB09CFE8D454AADBBF1EB4D304F01446AE94AAB211E7B19945CF62
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: A
          • API String ID: 0-3554254475
          • Opcode ID: 5d4e5963fab85ca827e107aa78477503cfbe6514e3fa82783d01c9550f9b6775
          • Instruction ID: 7b4007730af4cc121fd05ba3ccfcd4451e44f0f84e8eb1b81f0da9f8a52ac140
          • Opcode Fuzzy Hash: 5d4e5963fab85ca827e107aa78477503cfbe6514e3fa82783d01c9550f9b6775
          • Instruction Fuzzy Hash: 6751F6757041109FC74ADFA8C954664BBE2EB8A318B2D84A9D81DCB347C736DD03C7A1
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: ,Hsl
          • API String ID: 0-4114551972
          • Opcode ID: 86d12c55a92899b233529f07d728bc28ea2c24db9b048a00842d296ba8b7c34d
          • Instruction ID: a51c06c00d07a16524a8347193330fe5b56b571ce8b0b2dbc00429452ac5c3df
          • Opcode Fuzzy Hash: 86d12c55a92899b233529f07d728bc28ea2c24db9b048a00842d296ba8b7c34d
          • Instruction Fuzzy Hash: 38415E30B005109FDB59DB68C8A4BAEB7E2EF89714F1480A8E506AF3A1DF759C42CB55
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: P<u
          • API String ID: 0-3227585518
          • Opcode ID: 5e5219042ea3d7044560b57e30c34b960cbd838b34ac598fdfb509fb00888b96
          • Instruction ID: 11ed1e1023b29dfccd74a4faa82bc40f2f2c0fe2524ede60b6cdd24b9028bcc4
          • Opcode Fuzzy Hash: 5e5219042ea3d7044560b57e30c34b960cbd838b34ac598fdfb509fb00888b96
          • Instruction Fuzzy Hash: 74516C387041009FC758EF98C991A6DB7F2EFC9718F288459D80A9B795CB72ED02CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: P<u
          • API String ID: 0-3227585518
          • Opcode ID: 6f0b7ddd619c3acb31a8d7a8f2ee16b0bd16503fa7e8ff044bbd019fa6150751
          • Instruction ID: 41f39d28d64a52a4bd412d427c8957e6d5c6a1f114c8d724aaad11da576e5650
          • Opcode Fuzzy Hash: 6f0b7ddd619c3acb31a8d7a8f2ee16b0bd16503fa7e8ff044bbd019fa6150751
          • Instruction Fuzzy Hash: 99517D387001049FD754EF98C991A6DB7F2EFC9308F248059E90A9B795CB72ED02CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: 2
          • API String ID: 0-450215437
          • Opcode ID: d7b1adb27bf8a850bb3d2d6b5f382dc4d5e4428dc39a6dfa350919fde916dc0b
          • Instruction ID: 80336d7374ef5e998d52aadf69f33c26d74afd97087d78836b800c857cd42e76
          • Opcode Fuzzy Hash: d7b1adb27bf8a850bb3d2d6b5f382dc4d5e4428dc39a6dfa350919fde916dc0b
          • Instruction Fuzzy Hash: 7CE0862090E7C8CFC71B87A06C266ED7FB49F43100F4900C7E885D7553C2640A15CB62
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: ^
          • API String ID: 0-1590793086
          • Opcode ID: d091e5e6f51828b6b63a83335c1755bcbc92eb51faed578c08eb775a9994b5d3
          • Instruction ID: 901d00e8b0f8e043ffe61d27d9a67949b2319a671006e444679353db097d1b26
          • Opcode Fuzzy Hash: d091e5e6f51828b6b63a83335c1755bcbc92eb51faed578c08eb775a9994b5d3
          • Instruction Fuzzy Hash: 97D0A71050C9C89FC71DCBD499297AE7FA49B06205F4501D9E84907613E6F50A94D383
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: 2
          • API String ID: 0-450215437
          • Opcode ID: 910a8010cc3ca0c753b720dd5c5557a8a65e7f540b193bc8c6fe719fd8807fd3
          • Instruction ID: 4729530cb9f60d1322db5b52e979054200763c714e5be2230fd78213aeab8384
          • Opcode Fuzzy Hash: 910a8010cc3ca0c753b720dd5c5557a8a65e7f540b193bc8c6fe719fd8807fd3
          • Instruction Fuzzy Hash: 54C01230A0A608EBC60CCBC1F809929B7BCE705211F800086F80A83240CBB12F009AE2
          Uniqueness

          Uniqueness Score: -1.00%

          Strings
          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID: ^
          • API String ID: 0-1590793086
          • Opcode ID: 03d12f013ec61ac9e7099bea49e822ab212d18b2ba5c37bcc6c33d14ee07185a
          • Instruction ID: b2b5b9f03925c70ffff711129fa7366a810887bb6a6d051765ccb622c067c37a
          • Opcode Fuzzy Hash: 03d12f013ec61ac9e7099bea49e822ab212d18b2ba5c37bcc6c33d14ee07185a
          • Instruction Fuzzy Hash: 95C08C20608A0CEBC64CDAC1D80953EB3EC9708306F11028AF80D43600EBF61E605683
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5ef84c0c9f030cd306f3ea7bd6852251d51e0ad986af193f5f03a30561fa518e
          • Instruction ID: 5104e898b5be40f5effbbda1a77e705991d977518235c60b041573d47df3267b
          • Opcode Fuzzy Hash: 5ef84c0c9f030cd306f3ea7bd6852251d51e0ad986af193f5f03a30561fa518e
          • Instruction Fuzzy Hash: 8EB1EF70A016298FDB98EF64CC54BDDB7B2AF99304F5042E5E50DA7291DB701E82CF51
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a9fb99d687b5430998f74388e6663ba3fe7b30cf297003f267057b009c91f981
          • Instruction ID: b744d96f3eb00a9599e4dfd645458d6fc126d1ec22e74627af38491159a41441
          • Opcode Fuzzy Hash: a9fb99d687b5430998f74388e6663ba3fe7b30cf297003f267057b009c91f981
          • Instruction Fuzzy Hash: 89511E4A60F7D11EC703777C69B85D93FA14D27129B0E09D3C6C9CE863A649884A93AF
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 69f900e87f1263fcad48a3f6744c6e975faee30bce2747652922eaa6e56c7940
          • Instruction ID: b3824be18f0faa454c7abea6713b00995d825c66e3819249fbd8bd940b93b5f8
          • Opcode Fuzzy Hash: 69f900e87f1263fcad48a3f6744c6e975faee30bce2747652922eaa6e56c7940
          • Instruction Fuzzy Hash: 2A51F8347001054FD788FBA8C560BAEB3E6EB8D719F148469E90EEB785CE759D0387A1
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 04a5d89c0b634ed3bf4126db0d29a086a5039ba088925354024fe274200d791a
          • Instruction ID: 19de53aa988197829201ea2eeb7d9fb2f3ac4863eb9a168010b9641eb04247ed
          • Opcode Fuzzy Hash: 04a5d89c0b634ed3bf4126db0d29a086a5039ba088925354024fe274200d791a
          • Instruction Fuzzy Hash: 8741FB78A051088FDB55DFA8C591A9DB7F1EB4C308F248569E809E7346DB31AD42CF60
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2104d482de26bb86f35c40d5f3c08d98fa654ec26f8b199d1339b94ea98d147a
          • Instruction ID: 179c4076b4ab4a0e85d64dc0df98171dd70c35113c0e884932c237205f698d76
          • Opcode Fuzzy Hash: 2104d482de26bb86f35c40d5f3c08d98fa654ec26f8b199d1339b94ea98d147a
          • Instruction Fuzzy Hash: B62130397040049FD744EF58DD61B6AB7A2EBC9708F24C459A9099B3D6CA73ED03CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 993d50cad2e68c8b9de0a089b2f448690cc21bc25b44d5da7e7dc77901baf7e8
          • Instruction ID: 779d6e40b93056242e6b10e317d075e89c0d655d89bfd58c22b6b3da962ce140
          • Opcode Fuzzy Hash: 993d50cad2e68c8b9de0a089b2f448690cc21bc25b44d5da7e7dc77901baf7e8
          • Instruction Fuzzy Hash: 74F01C3774CA10D7D63C40CA6CBC97AA6DDE3AD661B574033E95BD2200C7B29D428DA3
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1dcdff6386547401e3d4bdacc8ae4c9b31c24b61479208cdb547b2a61d944e37
          • Instruction ID: ae84dfad59f7014318eea29ae77778ecfd640fec6a63bad41bce693bbb6bb97f
          • Opcode Fuzzy Hash: 1dcdff6386547401e3d4bdacc8ae4c9b31c24b61479208cdb547b2a61d944e37
          • Instruction Fuzzy Hash: E0F0815410E3C42FD31763389D756963FA58B43218F4A44E7D0C58B6A3D9A99C0AC3A6
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c5473f0988108ca2250e79f7254841645e9be208b6bf025e5c2a37613a132860
          • Instruction ID: efadde091b6b1cf244899582d8f19da0494cefeec8df2e0012f716179c84a001
          • Opcode Fuzzy Hash: c5473f0988108ca2250e79f7254841645e9be208b6bf025e5c2a37613a132860
          • Instruction Fuzzy Hash: A4018B38A49A04EFEB09CB84D599BA8B7F1EF46304F28814AD4178B386C7359907CF80
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ea81776d9e457df85bd120e0d2c75674d5f3d93e3af17ed07e210e34146bf80a
          • Instruction ID: 78fe1b0937c3967410afe82830bc60f74a5139ef66bbd9537c94c831ad8b6910
          • Opcode Fuzzy Hash: ea81776d9e457df85bd120e0d2c75674d5f3d93e3af17ed07e210e34146bf80a
          • Instruction Fuzzy Hash: 91F027703057001FD3055325EC786AB3FE5CBCA231B11057AD50EC7392CD980C0583BA
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4503000aead309565d5b23d05df504179f0789551c0e0f9a80237ead5cb973d0
          • Instruction ID: b08116cee5b28cec7159b5e03695f665941cf37c14c2df9b8cb0b3b46d323a3b
          • Opcode Fuzzy Hash: 4503000aead309565d5b23d05df504179f0789551c0e0f9a80237ead5cb973d0
          • Instruction Fuzzy Hash: 3BE04F31300B005FD3446769FC68A6B7ADADBCD276B110939EA0EC7395DE645C0687BA
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7861b097d77404069aea7fca9b7593d4a4c03db597e94271e7db16269bf31087
          • Instruction ID: 0cc01b9c6c61e4734683c51f9924668f283ffae759b8b8d8464373265e4fba60
          • Opcode Fuzzy Hash: 7861b097d77404069aea7fca9b7593d4a4c03db597e94271e7db16269bf31087
          • Instruction Fuzzy Hash: FDE0B6B9C0064EDFDB09CAD0C82939DB7F9BB14750F615215D42AAF314EB305946CF15
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 78223b3c2bb370796f9303edd84038feddbae0761cc9af4305ff3ed47839bab9
          • Instruction ID: 5b17fad340d387fd6d35ed509466bfd862bc1f7801cd98a14418662e18e8c92e
          • Opcode Fuzzy Hash: 78223b3c2bb370796f9303edd84038feddbae0761cc9af4305ff3ed47839bab9
          • Instruction Fuzzy Hash: 82E04878E043489FCB48CFD8C59499CBBF1BB9D304B20895AE82AAB315D731AD06CF50
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3ffdeabcd30e17c8f6eb0b596ca91c081071478d4f3d95eede6d34dd8d6e35a7
          • Instruction ID: 4c4288c6a4e740bf39a1010fde4c4dc8787357538b59e69950a6e5cb0c992c72
          • Opcode Fuzzy Hash: 3ffdeabcd30e17c8f6eb0b596ca91c081071478d4f3d95eede6d34dd8d6e35a7
          • Instruction Fuzzy Hash: 72D05E20308F10C3060E6AE87A2C93C39E4854A5123420066F90B82A45DB922D0006E7
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a11dad49157f5be1dd2af2ff0f6a06981179df24d7116ca98954e63eff01b53f
          • Instruction ID: c7828af71f36f85adf4b3cfa6f2cc320b281ca8b1461dc395b60b49e15f14064
          • Opcode Fuzzy Hash: a11dad49157f5be1dd2af2ff0f6a06981179df24d7116ca98954e63eff01b53f
          • Instruction Fuzzy Hash: F7D05E342041046BC30DB659C94585B7AAAC7C3758B958068A80A0B789CE31ED03C3B2
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7f6fe1063bfb75824fdd42f2f665c0558b7caee1b8cce193b25c3392718bf8ba
          • Instruction ID: 87bfa405dabcd7b8fb2ccfabd583abd7adb742a4767ce53153620e975c05cd07
          • Opcode Fuzzy Hash: 7f6fe1063bfb75824fdd42f2f665c0558b7caee1b8cce193b25c3392718bf8ba
          • Instruction Fuzzy Hash: CEE0EC74905505EBE718CFC4D599B6DBBF0BF46308F28440DD40697280C7759546CF81
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 564148f3872644bcedd568e57e0a6bdd46d2c8ed21d407dbc56d4198bc78e4f9
          • Instruction ID: 7d0c0b30fba80b1182a4361c7a74e57312acfbbf0dec7ae66c44108beffe340a
          • Opcode Fuzzy Hash: 564148f3872644bcedd568e57e0a6bdd46d2c8ed21d407dbc56d4198bc78e4f9
          • Instruction Fuzzy Hash: 94D05E30614305CFD3488F64C46999937F4FF0E320B224495D9029B262CB769C42CF21
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1ba4def7c59ea974d23fb10847fe5995e896c72cff04b125af269732a49ffd61
          • Instruction ID: e8a72c632c3bb3055469c92f37a132cce860e9ebfbcfc3feb4d2d7feb507b419
          • Opcode Fuzzy Hash: 1ba4def7c59ea974d23fb10847fe5995e896c72cff04b125af269732a49ffd61
          • Instruction Fuzzy Hash: 47D0129090D3D16FD70B07F440AF0A22FE18D0B0603064CC1DC82A7B22EA6858235351
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b77f1c12de00b00988c6ef4dc68ead065d2e44ad22457de627e95f358401e330
          • Instruction ID: 6eb8a5b7b6e97b957dbf281b8055eaa38aef0a11282f40c7d2791c4ceb4fc8e0
          • Opcode Fuzzy Hash: b77f1c12de00b00988c6ef4dc68ead065d2e44ad22457de627e95f358401e330
          • Instruction Fuzzy Hash: DDE0FEB4D0061ADFCF58CFA8C894AAEBBF0BB08240F608599D559F3300EB3459818F50
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c14246ced58254d7263abf0a7b23f395a41b68efc4df5ffb0206917069a0e494
          • Instruction ID: d1181869e0d7bcb9effaacb922b9d1197f451aaa13c097e5497e0d02c2f1ba54
          • Opcode Fuzzy Hash: c14246ced58254d7263abf0a7b23f395a41b68efc4df5ffb0206917069a0e494
          • Instruction Fuzzy Hash: E4D0A7393085048FC75EAFACD5612BD3AF2CF96349B5A041DD4038B785CA349905C773
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d83369930fb416951c35554f7f045c451cd5cb11d93e1a8607c4cf3c27b9c593
          • Instruction ID: 6958ba7d1967c274b355d834ea5e76b04a07b2aa254b5e5cb76e73fdc91c4779
          • Opcode Fuzzy Hash: d83369930fb416951c35554f7f045c451cd5cb11d93e1a8607c4cf3c27b9c593
          • Instruction Fuzzy Hash: A6D04874E00618DF8B08CFA8D8988DCBBF0BB1C251B158215E902B6310D3B068048F65
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b99d1615e8245cf59dfc1ff32fabda179f4c4a07476e9efc350643b6097cbabe
          • Instruction ID: 28e44e6901cf16e5805784855130fe79a2b13d59cdf7d9ea664a61fb6082ee11
          • Opcode Fuzzy Hash: b99d1615e8245cf59dfc1ff32fabda179f4c4a07476e9efc350643b6097cbabe
          • Instruction Fuzzy Hash: A1C08CB0C15200CFC388CF24C298848B7B0BF0C32032106A9E107DB331CB31D801CB10
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a50a79478b4a2eb9ca0da3f7470a6c120f627bb084a90c77c0abb1b349b9ced1
          • Instruction ID: 3ca139bbb4b72b4d7a9533975f90d96f41f752222763b843957e4c3f2fa34603
          • Opcode Fuzzy Hash: a50a79478b4a2eb9ca0da3f7470a6c120f627bb084a90c77c0abb1b349b9ced1
          • Instruction Fuzzy Hash: 98A022A0F00E03EB8F0CABF0002C0AE20EA2B8C0883300A2A8003F3200EF328C800320
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 0000001E.00000002.571858037.00000000011E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_30_2_11e0000_msdtc.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bf9ce859328ce89613530ee61437365c313140664179c0c187355983416da25f
          • Instruction ID: 1ac224217691afe2ed562629b820c203b6207f1edabf6e04444bc1e548b60baa
          • Opcode Fuzzy Hash: bf9ce859328ce89613530ee61437365c313140664179c0c187355983416da25f
          • Instruction Fuzzy Hash: C4A00224F14F51BB8F0D17B5643C53D3AE757CC5927614C295807C3398FE748C454A62
          Uniqueness

          Uniqueness Score: -1.00%