Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1111110789_stripped.exe

Overview

General Information

Sample Name:1111110789_stripped.exe
Analysis ID:724751
MD5:ba218c4db9606a955d3dd4e5aba22b7f
SHA1:927f94547db0d01eb873807ec11950b641c207c2
SHA256:99735bf17537e921b53f4b4f2aada8fecbf1d0627ce3139b878151d9fe3f4b9f
Tags:exe
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected DcRat
Antivirus detection for URL or domain
Yara detected AsyncRAT
Antivirus detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 1111110789_stripped.exe (PID: 684 cmdline: C:\Users\user\Desktop\1111110789_stripped.exe MD5: BA218C4DB9606A955D3DD4E5ABA22B7F)
    • RegAsm.exe (PID: 6128 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 5320 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5312 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5284 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5216 cmdline: cmd" /c copy "C:\Users\user\Desktop\1111110789_stripped.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msdtc.exe (PID: 3724 cmdline: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: BA218C4DB9606A955D3DD4E5ABA22B7F)
    • RegAsm.exe (PID: 2044 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 2148 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5288 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1744 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5208 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msdtc.exe (PID: 1584 cmdline: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: BA218C4DB9606A955D3DD4E5ABA22B7F)
    • RegAsm.exe (PID: 5356 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • cmd.exe (PID: 2408 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3508 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5540 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5100 cmdline: cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msdtc.exe (PID: 5808 cmdline: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe MD5: BA218C4DB9606A955D3DD4E5ABA22B7F)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "venom12345.duckdns.org,venomunverified.duckdns.org", "Ports": "4449", "Version": "5.0.5", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "13hY2L4QQkwZIszSJIRogZg0oshQmzWu", "Mutex": "Venom_RAT_HVNC_Mutex_Venom RAT_HVNC", "Certificate": "MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPLknDSnzkq9SuHSkPVyOxBFVoX/n/Y/SNOD2TO9vxmiaLG1rfOcnt7KPbQA3CJxOmVjCVDvtURayayaErAu6R280hq1HgF3iL7u8+5R9XY6JvXkaiKj2rYiEVKKWU55xGCztKNQAfUY7prw8li8QJk+J8vzitqKS1zz7G2UcGx1AgMBAAGjMjAwMB0GA1UdDgQWBBSyJslOSHG/21uHIrLBFtFJb3nJHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG/y6mnqPy3k1abtSAqAnm79siuBJ99b4uxdaTRVNIjATBtYUb3stSpQGefhnzNh4YS6w3SvTZk/BwuWyC0MKvHEbQhbk4JyoIcF4s2wzd5/mcTYK/kwPzAGUp+b93Fp38f3TRgFz+fWVZGheqUlWxzMzV1boXz2JX4pGQTypJBM", "ServerSignature": "NCg54PLd2n8AEDSHQSmNfMcGUM+NFZObzWko+AQswKpLMJ6ybKRb5J/+Cq0oCg903QfMlcKBN23ZkC2YZqHpY/w9FmT+MXpUrkZjZV9+O1vXR+LeUfqiH27cAqfZ+RK8uYYKf4G1fwan7KMM8u0MSEoMlv8ggcZoyyPmsFd4SMk=", "BDOS": "null", "Startup_Delay": "1", "Group": "Venom Clients"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x19c89:$b2: DcRat By qwqdanchun1

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.402891320.0000000000F75000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x28ecf:$b2: DcRat By qwqdanchun1
0000001C.00000002.403928683.0000000002E71000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x6b:$b2: DcRat By qwqdanchun1
00000001.00000002.509335673.00000000015E5000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x2327:$b2: DcRat By qwqdanchun1
0000000A.00000002.298467829.00000000023B1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x1006b:$b2: DcRat By qwqdanchun1
00000001.00000002.508512430.0000000001585000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x288b7:$b2: DcRat By qwqdanchun1
Click to see the 16 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
38.2.msdtc.exe.26ec204.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    38.2.msdtc.exe.26ec204.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0xb398:$q1: Select * from Win32_CacheMemory
    • 0xb3d8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0xb426:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0xb474:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    1.0.RegAsm.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      1.0.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0xd198:$q1: Select * from Win32_CacheMemory
      • 0xd1d8:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0xd226:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0xd274:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      38.2.msdtc.exe.26ec204.0.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Click to see the 1 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:185.216.71.4192.168.2.64449497082850454 10/17/22-19:26:14.287650
        SID:2850454
        Source Port:4449
        Destination Port:49708
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:185.216.71.4192.168.2.64449497082848152 10/17/22-19:26:14.287650
        SID:2848152
        Source Port:4449
        Destination Port:49708
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 1111110789_stripped.exeAvira: detected
        Antivirus detection for URL or domain
        Source: venom12345.duckdns.orgAvira URL Cloud: Label: malware
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeAvira: detection malicious, Label: HEUR/AGEN.1235903
        Machine Learning detection for sample
        Source: 1111110789_stripped.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJoe Sandbox ML: detected
        Source: 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "venom12345.duckdns.org,venomunverified.duckdns.org", "Ports": "4449", "Version": "5.0.5", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "13hY2L4QQkwZIszSJIRogZg0oshQmzWu", "Mutex": "Venom_RAT_HVNC_Mutex_Venom RAT_HVNC", "Certificate": "MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPLknDSnzkq9SuHSkPVyOxBFVoX/n/Y/SNOD2TO9vxmiaLG1rfOcnt7KPbQA3CJxOmVjCVDvtURayayaErAu6R280hq1HgF3iL7u8+5R9XY6JvXkaiKj2rYiEVKKWU55xGCztKNQAfUY7prw8li8QJk+J8vzitqKS1zz7G2UcGx1AgMBAAGjMjAwMB0GA1UdDgQWBBSyJslOSHG/21uHIrLBFtFJb3nJHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG/y6mnqPy3k1abtSAqAnm79siuBJ99b4uxdaTRVNIjATBtYUb3stSpQGefhnzNh4YS6w3SvTZk/BwuWyC0MKvHEbQhbk4JyoIcF4s2wzd5/mcTYK/kwPzAGUp+b93Fp38f3TRgFz+fWVZGheqUlWxzMzV1boXz2JX4pGQTypJBM", "ServerSignature": "NCg54PLd2n8AEDSHQSmNfMcGUM+NFZObzWko+AQswKpLMJ6ybKRb5J/+Cq0oCg903QfMlcKBN23ZkC2YZqHpY/w9FmT+MXpUrkZjZV9+O1vXR+LeUfqiH27cAqfZ+RK8uYYKf4G1fwan7KMM8u0MSEoMlv8ggcZoyyPmsFd4SMk=", "BDOS": "null", "Startup_Delay": "1", "Group": "Venom Clients"}
        Source: 1111110789_stripped.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 1111110789_stripped.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2850454 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) 185.216.71.4:4449 -> 192.168.2.6:49708
        Source: TrafficSnort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 185.216.71.4:4449 -> 192.168.2.6:49708
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: venom12345.duckdns.org
        Source: Malware configuration extractorURLs: venomunverified.duckdns.org
        Uses dynamic DNS services
        Source: unknownDNS query: name: venom12345.duckdns.org
        Source: Joe Sandbox ViewASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE
        Source: global trafficTCP traffic: 192.168.2.6:49708 -> 185.216.71.4:4449
        Source: RegAsm.exe, 00000001.00000002.509335673.00000000015E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: RegAsm.exe, 00000001.00000002.508512430.0000000001585000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: RegAsm.exe, 00000001.00000002.509335673.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: RegAsm.exe, 00000001.00000002.513013520.000000000324C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: unknownDNS traffic detected: queries for: venom12345.duckdns.org

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.254425551.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1111110789_stripped.exe PID: 684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 5808, type: MEMORYSTR
        Source: msdtc.exe, 00000009.00000002.291676626.00000000014F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 38.2.msdtc.exe.26ec204.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 38.2.msdtc.exe.26ec204.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 0000001C.00000002.402891320.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0000001C.00000002.403928683.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.509335673.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0000000A.00000002.298467829.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.508512430.0000000001585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.513229580.000000000327E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0000000A.00000002.303426131.0000000004968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.509118659.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: RegAsm.exe PID: 2044, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: RegAsm.exe PID: 5356, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 1111110789_stripped.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 38.2.msdtc.exe.26ec204.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 38.2.msdtc.exe.26ec204.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 0000001C.00000002.402891320.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0000001C.00000002.403928683.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.509335673.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0000000A.00000002.298467829.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.508512430.0000000001585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.513229580.000000000327E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0000000A.00000002.303426131.0000000004968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.509118659.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: RegAsm.exe PID: 2044, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: RegAsm.exe PID: 5356, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F21181_2_017F2118
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017FE9601_2_017FE960
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017FACC01_2_017FACC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F9FE81_2_017F9FE8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F21091_2_017F2109
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F15901_2_017F1590
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F15801_2_017F1580
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F9CA01_2_017F9CA0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_02C4158028_2_02C41580
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_02C4159028_2_02C41590
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_02C4210928_2_02C42109
        Source: C:\Users\user\Desktop\1111110789_stripped.exeCode function: 0_2_01743C80 CreateProcessAsUserA,0_2_01743C80
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F2118 NtProtectVirtualMemory,1_2_017F2118
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_017F2558 NtProtectVirtualMemory,1_2_017F2558
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_02C42560 NtProtectVirtualMemory,28_2_02C42560
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 28_2_02C42109 NtProtectVirtualMemory,28_2_02C42109
        Source: 1111110789_stripped.exe, 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe, vs 1111110789_stripped.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: 1111110789_stripped.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: msdtc.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: 1111110789_stripped.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\1111110789_stripped.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\1111110789_stripped.exe C:\Users\user\Desktop\1111110789_stripped.exe
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\1111110789_stripped.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\1111110789_stripped.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeFile created: C:\Users\user\AppData\Roaming\msdtcJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@43/7@1/1
        Source: 1111110789_stripped.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\1111110789_stripped.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: 1.0.RegAsm.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'OMwDkO6HclIV0E7U/cv1LfRWNry4Hw4R1EWfn0aEa7NWZ+Rx9CC/veUI3F2uHnoZZ1g7W9FSNiGdKXnwVl+Ywg==', 'oprpUz+oBUaZ7oEBwMb9CXJSB0U9k/OE9MxGxyFzS1pdDz+EtEc7/CodE8tw0iRpsFmACBC4OSWXkrREwv8ZTNHHUqhFOr1j/vNmMqSiHCvV3G8Zc46zyeW4JZpLCQeikNi0lbG8cGG7PeIx4JvlUg==', 'gI0TnYLSVAmlBOWcNM+Gqj0HsCC1jskE3G01V+az8qWk51YowIWtk6UAoWehiS9JT+EkC7XygIx3+E5QgvuOpN7HmD9BZ5DYBtTqpREpNJGgAREGxfmtaFgEn+5iilWg', 'KVCbAPtHg2sOkxbeg1in+MAxh8F+hPmtiq/QBb8CuSEFpWR/YZ/EvN0CrNGo12dLeOfRAAXIVw6+gm7+57YCRzIVLqh1SSFv1AAi/uzXTFP7CiyLGVzKZtPf+LVsYfnzkXCxiHbGPtk9zmYaXwIy0zjP6PrfN7TWsmial7GObg5pIHddVkRXbhO9qbTH3P8Co1s2d/5C4b8TtSv4Jlrx21jT0LNqBJ9BW5tyrLWWujAM7NmE0nGEgpM0zGiDc78L1C+BNBf0mG5pTCU9e2X6qkLDpxRyNJeI3WtUzovh+uKmjph/Mr/isZA5QT+ipu1usf5J3fAZjV5k1hMBihb0Syd20Oi3mArpD9cRusx8adoLI5Dovy8LiktRyoNbTafCInCkxwxACE/E2AAathN1BTjoZFZ1cYrLef8uzGO6qpRX+UjvAlg9y/bfxUVUd3KKPB6VU7uf0hczUJN8R6R/EvfCPWCekaDoS0hjGM1IuXl2A4Idj3ERoUoD2lT3C6dhlhJzYvljFfUvNAwCHoTKqbQKQNt+D/ifxPGNUY9mYeYKs3cji0D4ul8vwTgTnWm1F+Ddn72s9POMPLGjS79xxwGJfIc+6jwtqcH93YzUTxbffYcSOtA3NdgjQsgYLNv6DdhmEmvfeWIPZnaOJtMlEx8I2Q9chT4Hd1P884J6j1Af7rFI8XSeFx8E7UmVo8+c92vnn28gxRGFi4LlACfiWVlwBoZ+2+x8Sb3cfxTALkkJhoUh7oXWCXdRJZn76hVj4YzFyc3SA8BAI6cMn4MxWN4YxD/C1mupxxKVfcu/CE9Ujjr2XfY8qWu7Gar6lrwQt0/AQ+Ejh0qkgkBFFj8VIIwlcU9GGc4OqyIDo5bAp+IsngrxaUIGg68YdkaNPIm4SF/4afSZRqUSksKd4GeUxZ7zLwrEgzCBd8GHgb7G+mI5DkOOMLYWL9XLKgY3U6GcnSJNUO99oBoHMEiLpTUioyXbeO8TwItalBQ5Wz2gRCzqvaXCsQagj4T+oaXI0jmyH4QpGPH6sltIwCiMyk+1Ix5nhuC3RAIL7MTacOr/sQaO/P8euGiAVeALY9Sbgm73', 'S2IIVU59OjzYZzgY8kcEo77Cg84OEGr7EIFm7yXFgRDeRYl9ZfMIDSkLfkOPUh4ksbdkueJJu4KnEi5WliJgvw==', 'oLDIdGnpEIhZtrM8g88wkQWg2d7WFud2S2VEtySk8xBsmM3znR8cDFDQkEVL5futxTIaGFtfbLlpAYc15Tcn+w==', 'vx30jPb7ahrviKPj/jXnE4qn2cNJhxOcpxsnGn/1ZPXCj/ygm12WmvrxfUByDGYMiH+019dPCrD9Xz6R/pWY8w==', 'gYCVnswLcxNczg3GNNpeA5GAIjf+I57q1lz9fjG6PhHRcLFUbmHan6tEaTuIe0Ztq6HRkNEz4dBHYjMDcpUAqg==', 'mel0Ev5fhSJFPyjA23mR8ylCK2rYlOCC9gGu8FIkeMiSkX4fW45YDG/fp/YMpUKh7Gp1NJLdEVY1HpnujK6Q8Q=='
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3476:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: 1111110789_stripped.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: 1111110789_stripped.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: 1.0.RegAsm.exe.400000.0.unpack, Client/Connection/ClientSocket.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: initial sampleStatic PE information: section name: .text entropy: 7.674793845031527
        Source: initial sampleStatic PE information: section name: .text entropy: 7.674793845031527
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to dropped file

        Boot Survival

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.254425551.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1111110789_stripped.exe PID: 684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 5808, type: MEMORYSTR
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.254425551.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1111110789_stripped.exe PID: 684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 5808, type: MEMORYSTR
        Source: C:\Users\user\Desktop\1111110789_stripped.exe TID: 6136Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3732Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1100Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1100Thread sleep count: 99 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5012Thread sleep count: 9790 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe TID: 4692Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2688Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe TID: 5144Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5404Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\1111110789_stripped.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9790Jump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: RegAsm.exe, 00000001.00000003.267309500.000000000564E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.509118659.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000003.303655193.000000000565D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000003.273114833.000000000565D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 412000Jump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 414000Jump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1172008Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 412000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 414000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 2C8008Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 412000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 414000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DE8008Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\1111110789_stripped.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\Desktop\1111110789_stripped.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\1111110789_stripped.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtcJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
        Source: RegAsm.exe, 00000001.00000002.511051788.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000003.273153814.0000000005605000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.513309501.000000000328F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000001.00000002.522542242.0000000005618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managera
        Source: C:\Users\user\Desktop\1111110789_stripped.exeQueries volume information: C:\Users\user\Desktop\1111110789_stripped.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeQueries volume information: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeQueries volume information: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\msdtc\msdtc.exeQueries volume information: C:\Users\user\AppData\Roaming\msdtc\msdtc.exe VolumeInformation
        Source: C:\Users\user\Desktop\1111110789_stripped.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 38.2.msdtc.exe.26ec204.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000000.254425551.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1111110789_stripped.exe PID: 684, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: msdtc.exe PID: 5808, type: MEMORYSTR
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
        Source: 1111110789_stripped.exe, 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, msdtc.exe, 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
        Source: 1111110789_stripped.exe, 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, msdtc.exe, 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: procexp.exe
        Source: 1111110789_stripped.exe, 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, msdtc.exe, 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

        Stealing of Sensitive Information

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000001.00000002.513229580.000000000327E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000001.00000002.513229580.000000000327E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Valid Accounts        		1
        Windows Management Instrumentation        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Masquerading        		1
        Input Capture        		21
        Security Software Discovery        		Remote Services1
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts2
        Scheduled Task/Job        		2
        Scheduled Task/Job        		1
        Access Token Manipulation        		1
        Valid Accounts        		LSASS Memory1
        Process Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)1
        DLL Side-Loading        		312
        Process Injection        		1
        Access Token Manipulation        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)2
        Scheduled Task/Job        		1
        Disable or Modify Tools        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer21
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon Script1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSA Secrets1
        Remote System Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common312
        Process Injection        		Cached Domain Credentials13
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items111
        Obfuscated Files or Information        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
        Software Packing        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
        DLL Side-Loading        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 724751 Sample: 1111110789_stripped.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 7 other signatures 2->72 7 1111110789_stripped.exe 4 2->7         started        11 msdtc.exe 3 2->11         started        13 msdtc.exe 2 2->13         started        15 msdtc.exe 2->15         started        process3 file4 60 C:\Users\user\...\1111110789_stripped.exe.log, CSV 7->60 dropped 76 Writes to foreign memory regions 7->76 78 Allocates memory in foreign processes 7->78 80 Injects a PE file into a foreign processes 7->80 17 cmd.exe 3 7->17         started        20 cmd.exe 2 7->20         started        23 RegAsm.exe 1 2 7->23         started        26 cmd.exe 1 7->26         started        82 Antivirus detection for dropped file 11->82 84 Machine Learning detection for dropped file 11->84 28 cmd.exe 11->28         started        30 cmd.exe 1 11->30         started        34 2 other processes 11->34 32 cmd.exe 13->32         started        36 3 other processes 13->36 signatures5 process6 dnsIp7 56 C:\Users\user\AppData\Roaming\...\msdtc.exe, PE32 17->56 dropped 58 C:\Users\user\...\msdtc.exe:Zone.Identifier, ASCII 17->58 dropped 38 conhost.exe 17->38         started        74 Uses schtasks.exe or at.exe to add and modify task schedules 20->74 40 conhost.exe 20->40         started        62 venom12345.duckdns.org 185.216.71.4, 4449, 49708 CLOUDCOMPUTINGDE Germany 23->62 64 windowsupdatebg.s.llnwi.net 23->64 42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        50 2 other processes 28->50 46 conhost.exe 30->46         started        52 2 other processes 32->52 48 conhost.exe 34->48         started        54 2 other processes 36->54 file8 signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        1111110789_stripped.exe100%AviraHEUR/AGEN.1235903
        1111110789_stripped.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\msdtc\msdtc.exe100%AviraHEUR/AGEN.1235903
        C:\Users\user\AppData\Roaming\msdtc\msdtc.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.0.RegAsm.exe.400000.0.unpack100%AviraHEUR/AGEN.1202835Download File
        0.0.1111110789_stripped.exe.ee0000.0.unpack100%AviraHEUR/AGEN.1235903Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        venomunverified.duckdns.org0%Avira URL Cloudsafe
        venom12345.duckdns.org100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        venom12345.duckdns.org
        		185.216.71.4
        		truetrue
          		unknown
          windowsupdatebg.s.llnwi.net
          		178.79.225.128
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            venomunverified.duckdns.orgtrue
            • Avira URL Cloud: safe
            		unknown
            venom12345.duckdns.orgtrue
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.513013520.000000000324C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.216.71.4
              		venom12345.duckdns.orgGermany
              		43659CLOUDCOMPUTINGDEtrue

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:724751
              Start date and time:2022-10-17 19:25:10 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 44s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:1111110789_stripped.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:39
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@43/7@1/1
              EGA Information:
              • Successful, ratio: 71.4%
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 63
              • Number of non-executed functions: 4
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 178.79.225.128
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
              • Execution Graph export aborted for target RegAsm.exe, PID 2044 because it is empty
              • Execution Graph export aborted for target msdtc.exe, PID 5808 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              19:26:11Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe"
              19:26:14API Interceptor1x Sleep call for process: RegAsm.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              185.216.71.4Scanned_V11230111111PDF-clean.exeGet hashmaliciousBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                venom12345.duckdns.orgScanned_V11230111111PDF-clean.exeGet hashmaliciousBrowse
                • 185.216.71.4
                windowsupdatebg.s.llnwi.netBrevaabneres.vbsGet hashmaliciousBrowse
                • 178.79.242.0
                file.exeGet hashmaliciousBrowse
                • 41.63.96.0
                file.exeGet hashmaliciousBrowse
                • 95.140.230.128
                uCsyXFwI3z.exeGet hashmaliciousBrowse
                • 95.140.230.192
                rundll32.exeGet hashmaliciousBrowse
                • 41.63.96.128
                SecuriteInfo.com.Win64.PWSX-gen.29205.30420.exeGet hashmaliciousBrowse
                • 178.79.225.128
                Rechnungszahlung,png.exeGet hashmaliciousBrowse
                • 95.140.236.128
                olS4EmgVH6.exeGet hashmaliciousBrowse
                • 178.79.242.0
                TT COPY.exeGet hashmaliciousBrowse
                • 95.140.236.128
                CONTRACT.exeGet hashmaliciousBrowse
                • 95.140.230.128
                iNs33x9LKJ.exeGet hashmaliciousBrowse
                • 95.140.236.128
                payment copy.exeGet hashmaliciousBrowse
                • 95.140.230.128
                Urgent RFQ No.6554342.vbsGet hashmaliciousBrowse
                • 41.63.96.0
                SecuriteInfo.com.Variant.Lazy.253499.16416.9758.exeGet hashmaliciousBrowse
                • 178.79.242.128
                adNYd44zMI.exeGet hashmaliciousBrowse
                • 178.79.225.128
                swift copy.exeGet hashmaliciousBrowse
                • 178.79.242.0
                Vamse.exeGet hashmaliciousBrowse
                • 178.79.225.128
                Confirmaci#U00f3n de transferencia-687900.exeGet hashmaliciousBrowse
                • 178.79.225.128
                Contrato 52000051-NDE--SIP-002.vbsGet hashmaliciousBrowse
                • 178.79.242.0
                SecuriteInfo.com.Win32.PWSX-gen.10999.3561.exeGet hashmaliciousBrowse
                • 178.79.242.0

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                CLOUDCOMPUTINGDEfile.exeGet hashmaliciousBrowse
                • 80.76.51.172
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 80.76.51.172
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                AD1-2001028L.exeGet hashmaliciousBrowse
                • 185.216.71.120
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                Order10-2022.exeGet hashmaliciousBrowse
                • 185.216.71.242
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                file.exeGet hashmaliciousBrowse
                • 85.31.46.167
                PaidInvoice2763.exeGet hashmaliciousBrowse
                • 185.216.71.242
                SecuriteInfo.com.Win32.TrojanX-gen.24965.9713.exeGet hashmaliciousBrowse
                • 185.216.71.120
                Quote_05102022161754.exeGet hashmaliciousBrowse
                • 185.216.71.120

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62397 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):62397
                Entropy (8bit):7.995531606726499
                Encrypted:true
                SSDEEP:1536:6VT6EGIYmIA2VKd1ZepH+41ZnDVrFyv+7XAZa7pAn:A6JI5IjOcTZDGvYXAZhn
                MD5:D15AAA7C9BE910A9898260767E2490E1
                SHA1:2090C53F8D9FC3FBDBAFD3A1E4DC25520EB74388
                SHA-256:F8EBAAF487CBA0C81A17C8CD680BDD2DD8E90D2114ECC54844CFFC0CC647848E
                SHA-512:7E1C1A683914B961B5CC2FE5E4AE288B60BAB43BFAA21CE4972772AA0589615C19F57E672E1D93E50A7ED7B76FBD2F1B421089DCAED277120B93F8E91B18AF94
                Malicious:false
                Preview:MSCF............,...................I.................-UIh .authroot.stl......5..CK..<Tk...c_.d......F...,Y.d...!......$E.KB..D..%*J..}f...grs..}?>...s..<...=g.h.=W..W....b.i.....L......1:..c.0......1t.2t......w..........i,#.#..V..r...7.....W.)++.lF..he.4|.../F.0:0...].#..I(.#.-... ...(.J....2{..`.hO..Gl+.be7y.j....)........<...........s.W..../\./...){n...s.........V..}.K.Wv3Y...A.9w9.Ea.x.W........\.;.i..d^...[..f.p..B..s.....60.<!.(.........!s0.#..!7.....J..........F...0...C..8..8.....4...<.X...!U.%.GN*.!....*G........F<..0.1..ZZz,....X.U.L..S......9.)..fy0Z.(.VS.{...{.=.h..a'.>U...AG....pu=.P}.......s.`@t((..JVdN.....!_@...|.,..'0..3.`.DU...%0.Gi.4sv.#..5.U.?.......p.."........9.|..j.<....b`.,...~..I.T.{..cY..X>....Z/..._.K>..>.3.#>X.%..b...5.YG.E.V._\?.....EpF}.....jz...,.f "h.{........U......k......U...3v....G.l[..x*.{...=...r.....$.I....>.1..~.\k.W..[....X...@xp..,.qf.B..<yN:fL~ <............>.#...F...z....yw...N.o..,.c../.:..Ql...y.

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:data
                Category:modified
                Size (bytes):290
                Entropy (8bit):2.991807164658857
                Encrypted:false
                SSDEEP:6:kKoDXiN+SkQlPlEGYRMY9z+4KlDA3RUe/:wDXJkPlE99SNxAhUe/
                MD5:B573724F28B1E471C72AFAC39D55E762
                SHA1:9897B4E38611848D5C0BD54C687A09B910D80F43
                SHA-256:9633FAA4EDAE3480D69D748ADC3F2B15700104A93F242B006AFDB0A3FD1D2F56
                SHA-512:345DF296293053B5F04B65E10CFB8C35864EF521398E8E4C16E059B4742CEC6A607F02E3D876071D960487D2AE43A6532F5E2F1A50EC072103DEA048FCF0EFE2
                Malicious:false
                Preview:p...... ...............(....................................................... ........K..........................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1111110789_stripped.exe.log

                Download File
                Process:C:\Users\user\Desktop\1111110789_stripped.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):425
                Entropy (8bit):5.340009400190196
                Encrypted:false
                SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                MD5:CC144808DBAF00E03294347EADC8E779
                SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                Malicious:true
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                Download File
                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):425
                Entropy (8bit):5.340009400190196
                Encrypted:false
                SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                MD5:CC144808DBAF00E03294347EADC8E779
                SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msdtc.exe.log

                Download File
                Process:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):425
                Entropy (8bit):5.340009400190196
                Encrypted:false
                SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                MD5:CC144808DBAF00E03294347EADC8E779
                SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                C:\Users\user\AppData\Roaming\msdtc\msdtc.exe

                Download File
                Process:C:\Windows\SysWOW64\cmd.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):318976
                Entropy (8bit):6.980537711280132
                Encrypted:false
                SSDEEP:6144:3baECFP6mYUjRMcvrKS6wPYZt/ZiGbG3FiP6Dz0tMneI4WQL2felwfZI/y:bmY+jKSfYdZrwu/
                MD5:BA218C4DB9606A955D3DD4E5ABA22B7F
                SHA1:927F94547DB0D01EB873807EC11950B641C207C2
                SHA-256:99735BF17537E921B53F4B4F2AADA8FECBF1D0627CE3139B878151D9FE3F4B9F
                SHA-512:3623F7624EDA9E6EAA4FBD835CF20B20D2EAB1A1DB5350CA61F6488944FAB4D3F7D80809488C80F1F3C7271E6F8327C9D62E83882D1FC8A43E18EDBE892F0D5A
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Mc.................b...z......R.... ........@.. .......................@............@.....................................J........w................... ....................................................... ............... ..H............text...X`... ...b.................. ..`.rsrc....w.......x...d..............@..@.reloc....... ......................@..B................8.......H.......H=..H=...........z..x.............................................(H...*.0..........~4...~2...~/...~,...8u...8z...8.... ....8....8....,S~5...8.... ....8....8.....-.~6... ....8|...(|...,!~9.....(....&.-..9....~:...(....&.,..,.*(m...8....(p...8|...(s...8w...(f...8w...(v...8r.....8w...(f...8w...(y...8r...(f...8z........(H...*.0..........+O8P....8P...+*~<...+M+N+O+W+[.0%,.2.+X.-..91.......-..X..~>....(.....,.2..%,.*.*.8.....8.....8.....+..+.(....8.....8.....8.....+....0..

                C:\Users\user\AppData\Roaming\msdtc\msdtc.exe:Zone.Identifier

                Download File
                Process:C:\Windows\SysWOW64\cmd.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Preview:[ZoneTransfer]....ZoneId=0

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):6.980537711280132
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:1111110789_stripped.exe
                File size:318976
                MD5:ba218c4db9606a955d3dd4e5aba22b7f
                SHA1:927f94547db0d01eb873807ec11950b641c207c2
                SHA256:99735bf17537e921b53f4b4f2aada8fecbf1d0627ce3139b878151d9fe3f4b9f
                SHA512:3623f7624eda9e6eaa4fbd835cf20b20d2eab1a1db5350ca61f6488944fab4d3f7d80809488c80f1f3c7271e6f8327c9d62e83882d1fc8a43e18edbe892f0d5a
                SSDEEP:6144:3baECFP6mYUjRMcvrKS6wPYZt/ZiGbG3FiP6Dz0tMneI4WQL2felwfZI/y:bmY+jKSfYdZrwu/
                TLSH:F4641A80FF63A3D9FC7BA9F6C722D9C1B2D4007D4346EBE2A594E233A2C8F614915516
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Mc.................b...z......R.... ........@.. .......................@............@................................

                File Icon

                Icon Hash:cc8e9aab978ecef0

                Static PE Info

                General

                Entrypoint:0x418052
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x634D80B5 [Mon Oct 17 16:20:05 2022 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x180080x4a.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x3779c.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x160580x16200False0.8509335275423728data7.674793845031527IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x1a0000x3779c0x37800False0.4026560740427928data6.519534167834536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x520000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x1a0b40x90c2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                RT_ICON0x2319a0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584
                RT_ICON0x339e60x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016
                RT_ICON0x3ceb20x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560
                RT_ICON0x436be0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600
                RT_ICON0x48b6a0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896
                RT_ICON0x4cdb60x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600
                RT_ICON0x4f3820x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                RT_ICON0x5044e0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400
                RT_ICON0x50dfa0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                RT_GROUP_ICON0x512b00x92data
                RT_VERSION0x5137e0x1f8dataEnglishUnited States
                RT_MANIFEST0x515b20x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                185.216.71.4192.168.2.64449497082850454 10/17/22-19:26:14.287650TCP2850454ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT)444949708185.216.71.4192.168.2.6
                185.216.71.4192.168.2.64449497082848152 10/17/22-19:26:14.287650TCP2848152ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)444949708185.216.71.4192.168.2.6

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 17, 2022 19:26:14.180452108 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:14.207990885 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:14.208194971 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:14.258270979 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:14.287650108 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:14.296108007 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:14.328061104 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:14.375261068 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:18.068361998 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:18.159940004 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:18.160151005 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:18.236957073 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:31.758995056 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:31.830468893 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:31.830615044 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:31.869983912 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:32.001682043 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:32.029357910 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:32.189263105 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:32.285136938 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:32.361548901 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:32.361661911 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:32.439697981 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:37.400727987 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:37.455310106 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:37.483242989 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:37.533427954 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:45.392302036 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:45.471163034 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:45.471259117 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:45.500664949 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:45.549720049 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:45.577044010 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:45.627728939 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:45.705456018 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:45.705698013 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:45.783905029 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:59.033934116 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:59.111629963 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:59.111871004 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:59.141598940 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:59.200535059 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:59.228404999 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:59.265110016 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:59.338965893 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:26:59.343031883 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:26:59.424489021 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:07.374116898 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:07.426497936 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:07.454493999 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:07.504662991 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:12.690960884 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:12.783730984 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:12.786045074 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:12.815052032 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:12.880060911 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:12.907335997 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:12.935312033 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:13.018196106 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:13.018280983 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:13.096438885 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:26.460711002 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:26.771841049 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:26.800388098 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:27.084400892 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:27.111946106 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:27.115540981 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:27.162571907 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:27.191417933 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:27.235999107 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:27.314799070 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:27.317301035 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:27.392792940 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:37.375632048 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:37.429115057 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:37.673985004 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:37.674204111 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:38.283269882 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:38.283468962 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:39.970848083 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:40.064481020 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:40.068316936 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:40.097883940 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:40.148102999 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:40.176939964 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:40.193207026 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:40.470922947 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:40.472343922 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:40.507425070 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:40.820053101 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:40.908703089 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:53.621748924 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:53.704973936 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:53.705471992 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:53.735721111 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:53.789747000 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:54.645523071 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:54.645714998 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:55.648703098 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:55.721060038 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:27:55.721240997 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:27:55.814783096 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:28:07.229804993 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:28:07.315232992 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:28:07.315313101 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:28:07.347503901 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:28:07.400213003 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:28:07.428755045 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:28:07.429702997 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:28:07.728368998 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:28:07.736260891 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:28:07.736337900 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:28:07.756598949 CEST444949708185.216.71.4192.168.2.6
                Oct 17, 2022 19:28:08.040884972 CEST497084449192.168.2.6185.216.71.4
                Oct 17, 2022 19:28:08.068406105 CEST444949708185.216.71.4192.168.2.6

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 17, 2022 19:26:14.062417984 CEST5859553192.168.2.68.8.8.8
                Oct 17, 2022 19:26:14.171480894 CEST53585958.8.8.8192.168.2.6

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Oct 17, 2022 19:26:14.062417984 CEST192.168.2.68.8.8.80x3e01Standard query (0)venom12345.duckdns.orgA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Oct 17, 2022 19:26:14.171480894 CEST8.8.8.8192.168.2.60x3e01No error (0)venom12345.duckdns.org185.216.71.4A (IP address)IN (0x0001)false
                Oct 17, 2022 19:26:14.833364964 CEST8.8.8.8192.168.2.60xd1c4No error (0)windowsupdatebg.s.llnwi.net178.79.225.128A (IP address)IN (0x0001)false
                Oct 17, 2022 19:26:14.833364964 CEST8.8.8.8192.168.2.60xd1c4No error (0)windowsupdatebg.s.llnwi.net178.79.225.0A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:19:26:01
                Start date:17/10/2022
                Path:C:\Users\user\Desktop\1111110789_stripped.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\1111110789_stripped.exe
                Imagebase:0xee0000
                File size:318976 bytes
                MD5 hash:BA218C4DB9606A955D3DD4E5ABA22B7F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.258791467.0000000003406000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low

                General

                Target ID:1
                Start time:19:26:08
                Start date:17/10/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Imagebase:0xe20000
                File size:64616 bytes
                MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.509335673.00000000015E5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.508512430.0000000001585000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.513229580.000000000327E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.513229580.000000000327E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000000.254425551.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.509118659.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000001.00000002.510434732.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:high

                General

                Target ID:2
                Start time:19:26:09
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:3
                Start time:19:26:09
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:4
                Start time:19:26:09
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:5
                Start time:19:26:09
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:6
                Start time:19:26:09
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd" /c copy "C:\Users\user\Desktop\1111110789_stripped.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:7
                Start time:19:26:10
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
                Imagebase:0x80000
                File size:185856 bytes
                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:8
                Start time:19:26:10
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:9
                Start time:19:26:11
                Start date:17/10/2022
                Path:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Imagebase:0xe20000
                File size:318976 bytes
                MD5 hash:BA218C4DB9606A955D3DD4E5ABA22B7F
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML

                General

                Target ID:10
                Start time:19:26:22
                Start date:17/10/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Imagebase:0x20000
                File size:64616 bytes
                MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.298467829.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000A.00000002.303426131.0000000004968000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

                General

                Target ID:14
                Start time:19:26:23
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:17
                Start time:19:26:24
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:18
                Start time:19:26:24
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:20
                Start time:19:26:24
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:21
                Start time:19:26:24
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:22
                Start time:19:26:24
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
                Imagebase:0x80000
                File size:185856 bytes
                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:24
                Start time:19:26:25
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:27
                Start time:19:27:01
                Start date:17/10/2022
                Path:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Imagebase:0x390000
                File size:318976 bytes
                MD5 hash:BA218C4DB9606A955D3DD4E5ABA22B7F
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET

                General

                Target ID:28
                Start time:19:27:09
                Start date:17/10/2022
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Imagebase:0xad0000
                File size:64616 bytes
                MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000001C.00000002.402891320.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000001C.00000002.403928683.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

                General

                Target ID:29
                Start time:19:27:09
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd" /c mkdir "C:\Users\user\AppData\Roaming\msdtc
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:30
                Start time:19:27:10
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:31
                Start time:19:27:10
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
                Imagebase:0x1b0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:32
                Start time:19:27:10
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:33
                Start time:19:27:10
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:cmd" /c copy "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Imagebase:0x7ff603c50000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:34
                Start time:19:27:10
                Start date:17/10/2022
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\msdtc\msdtc.exe'" /f
                Imagebase:0x80000
                File size:185856 bytes
                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:35
                Start time:19:27:11
                Start date:17/10/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6da640000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language

                General

                Target ID:38
                Start time:19:28:00
                Start date:17/10/2022
                Path:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\msdtc\msdtc.exe
                Imagebase:0x230000
                File size:318976 bytes
                MD5 hash:BA218C4DB9606A955D3DD4E5ABA22B7F
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000026.00000002.509598735.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:36.2%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:5.8%
                  Total number of Nodes:52
                  Total number of Limit Nodes:2
                  execution_graph 2264 17402e3 2265 17402ed 2264->2265 2266 1740452 2265->2266 2267 1741bc2 14 API calls 2265->2267 2267->2266 2208 1740448 2209 174044e 2208->2209 2210 1740452 2209->2210 2212 1741bc2 2209->2212 2216 1742310 2212->2216 2220 1742301 2212->2220 2213 1741bdb 2213->2210 2217 174231c 2216->2217 2218 1742326 2217->2218 2224 1743187 2217->2224 2218->2213 2222 174231c 2220->2222 2221 1742326 2221->2213 2222->2221 2223 1743187 14 API calls 2222->2223 2223->2222 2225 17431a0 2224->2225 2256 17438f0 2225->2256 2260 1743c80 2225->2260 2226 1743597 2246 1744500 ResumeThread 2226->2246 2247 1744440 ResumeThread 2226->2247 2248 174443e ResumeThread 2226->2248 2227 1743222 2233 174352a 2227->2233 2249 1744170 ReadProcessMemory 2227->2249 2250 174416e ReadProcessMemory 2227->2250 2228 17435bf 2228->2217 2229 1743308 2251 1744260 VirtualAllocEx 2229->2251 2252 1744258 VirtualAllocEx 2229->2252 2230 1743388 2230->2233 2237 1744300 WriteProcessMemory 2230->2237 2238 1744308 WriteProcessMemory 2230->2238 2231 17433f3 2232 17434e9 2231->2232 2235 1744300 WriteProcessMemory 2231->2235 2236 1744308 WriteProcessMemory 2231->2236 2239 1744300 WriteProcessMemory 2232->2239 2240 1744308 WriteProcessMemory 2232->2240 2234 1743567 2233->2234 2253 1744070 SetThreadContext 2233->2253 2254 17440b0 SetThreadContext 2233->2254 2255 17440ae SetThreadContext 2233->2255 2234->2226 2241 1744070 SetThreadContext 2234->2241 2242 17440b0 SetThreadContext 2234->2242 2243 17440ae SetThreadContext 2234->2243 2235->2231 2236->2231 2237->2231 2238->2231 2239->2233 2240->2233 2241->2226 2242->2226 2243->2226 2246->2228 2247->2228 2248->2228 2249->2229 2250->2229 2251->2230 2252->2230 2253->2234 2254->2234 2255->2234 2257 17438f5 CreateProcessAsUserA 2256->2257 2259 1743f25 2257->2259 2261 1743d0d CreateProcessAsUserA 2260->2261 2263 1743f25 2261->2263

                  Executed Functions

                  Function 01743C80 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 87 1743c80-1743d19 89 1743d6d-1743d8d 87->89 90 1743d1b-1743d40 87->90 93 1743de1-1743e12 89->93 94 1743d8f-1743db4 89->94 90->89 95 1743d42-1743d44 90->95 104 1743e14-1743e3c 93->104 105 1743e69-1743f23 CreateProcessAsUserA 93->105 94->93 102 1743db6-1743db8 94->102 96 1743d46-1743d50 95->96 97 1743d67-1743d6a 95->97 99 1743d54-1743d63 96->99 100 1743d52 96->100 97->89 99->99 103 1743d65 99->103 100->99 106 1743dba-1743dc4 102->106 107 1743ddb-1743dde 102->107 103->97 104->105 112 1743e3e-1743e40 104->112 119 1743f25-1743f2b 105->119 120 1743f2c-1743fa0 105->120 109 1743dc6 106->109 110 1743dc8-1743dd7 106->110 107->93 109->110 110->110 113 1743dd9 110->113 114 1743e42-1743e4c 112->114 115 1743e63-1743e66 112->115 113->107 117 1743e50-1743e5f 114->117 118 1743e4e 114->118 115->105 117->117 121 1743e61 117->121 118->117 119->120 129 1743fb0-1743fb4 120->129 130 1743fa2-1743fa6 120->130 121->115 132 1743fc4-1743fc8 129->132 133 1743fb6-1743fba 129->133 130->129 131 1743fa8 130->131 131->129 135 1743fd8-1743fdc 132->135 136 1743fca-1743fce 132->136 133->132 134 1743fbc 133->134 134->132 137 1743fee-1743ff5 135->137 138 1743fde-1743fe4 135->138 136->135 139 1743fd0 136->139 140 1743ff7-1744006 137->140 141 174400c 137->141 138->137 139->135 140->141 143 174400d 141->143 143->143
                  APIs
                  • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 01743F10
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: CreateProcessUser
                  • String ID:
                  • API String ID: 2217836671-0
                  • Opcode ID: d4eaefc28dac2f7ec1014992a404fb8d21c79e821676d23d8f00ea4a5d9fadd0
                  • Instruction ID: 71dd5695fcbb79da40ffacb3dc2e833a79b35d0eebc08da23be941b25458bd83
                  • Opcode Fuzzy Hash: d4eaefc28dac2f7ec1014992a404fb8d21c79e821676d23d8f00ea4a5d9fadd0
                  • Instruction Fuzzy Hash: D3A15971E002299FDB24CFA9C8857DDBBB2FF48304F0481A9E959A7391DB749985CF81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 01744127
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID: X
                  • API String ID: 1591575202-3081909835
                  • Opcode ID: f6ba3cd12a107de0f0521cfeaecbd01bbc664663f981b1558884b406b61c4513
                  • Instruction ID: de61e184ae5177ca56ba4041d31b7b38dab2e6ae2e98ca237a2297a8c35279bf
                  • Opcode Fuzzy Hash: f6ba3cd12a107de0f0521cfeaecbd01bbc664663f981b1558884b406b61c4513
                  • Instruction Fuzzy Hash: E82168B1E042198FDB00CFA9D8457EEFBF0FF49214F04829AD418E7251D7349A149BA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744500 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 13 1744500-174450c 14 1744496-17444ac ResumeThread 13->14 15 174450e-174451b 13->15 20 17444b5-17444c9 14->20 21 17444ae-17444b4 14->21 16 1744521-1744529 call 17409f8 15->16 17 174451d-1744520 15->17 16->17 21->20
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID: =
                  • API String ID: 947044025-2322244508
                  • Opcode ID: 176809b7f5dd145b4bd203cccff9f1ccc2101845bbfaa91527deb5fbce743099
                  • Instruction ID: 76fe914498c9048c9afba3612e6fa6227b140d4c53ff317ea0db8e1145992a16
                  • Opcode Fuzzy Hash: 176809b7f5dd145b4bd203cccff9f1ccc2101845bbfaa91527deb5fbce743099
                  • Instruction Fuzzy Hash: A0F0CD718082448FDB51DBA8E4143EAFBF0AB82218F20818BD84AD2A51C3790A09DB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017438F0 Relevance: 2.2, APIs: 1, Instructions: 705processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 24 17438f0-1743d19 32 1743d6d-1743d8d 24->32 33 1743d1b-1743d40 24->33 36 1743de1-1743e12 32->36 37 1743d8f-1743db4 32->37 33->32 38 1743d42-1743d44 33->38 47 1743e14-1743e3c 36->47 48 1743e69-1743f23 CreateProcessAsUserA 36->48 37->36 45 1743db6-1743db8 37->45 39 1743d46-1743d50 38->39 40 1743d67-1743d6a 38->40 42 1743d54-1743d63 39->42 43 1743d52 39->43 40->32 42->42 46 1743d65 42->46 43->42 49 1743dba-1743dc4 45->49 50 1743ddb-1743dde 45->50 46->40 47->48 55 1743e3e-1743e40 47->55 62 1743f25-1743f2b 48->62 63 1743f2c-1743fa0 48->63 52 1743dc6 49->52 53 1743dc8-1743dd7 49->53 50->36 52->53 53->53 56 1743dd9 53->56 57 1743e42-1743e4c 55->57 58 1743e63-1743e66 55->58 56->50 60 1743e50-1743e5f 57->60 61 1743e4e 57->61 58->48 60->60 64 1743e61 60->64 61->60 62->63 72 1743fb0-1743fb4 63->72 73 1743fa2-1743fa6 63->73 64->58 75 1743fc4-1743fc8 72->75 76 1743fb6-1743fba 72->76 73->72 74 1743fa8 73->74 74->72 78 1743fd8-1743fdc 75->78 79 1743fca-1743fce 75->79 76->75 77 1743fbc 76->77 77->75 80 1743fee-1743ff5 78->80 81 1743fde-1743fe4 78->81 79->78 82 1743fd0 79->82 83 1743ff7-1744006 80->83 84 174400c 80->84 81->80 82->78 83->84 86 174400d 84->86 86->86
                  APIs
                  • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 01743F10
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: CreateProcessUser
                  • String ID:
                  • API String ID: 2217836671-0
                  • Opcode ID: 297605c0c85654d5fcde341be0b374c2d60ed77fb86877e64877510af2b0928c
                  • Instruction ID: d5ee577160667d0bd0f8e78d55f4faecee827cfdc22875c2e15a34a45488635f
                  • Opcode Fuzzy Hash: 297605c0c85654d5fcde341be0b374c2d60ed77fb86877e64877510af2b0928c
                  • Instruction Fuzzy Hash: BDB18971E002298FDB11CFA8D8817DDBBB2FF49304F0481AAE959A7281DB349985CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744300 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 215 1744300-1744359 217 1744369-17443a2 WriteProcessMemory 215->217 218 174435b-1744367 215->218 219 17443a4-17443aa 217->219 220 17443ab-17443cc 217->220 218->217 219->220
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01744395
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 57e24c7f53b8cd3c78eb12cfad5bf19aca5a6d027e46154f276a0d6c3d658af6
                  • Instruction ID: d6c013eb05c290e65399e7129f7776f289fb5eed91e9ce542e8b6c430e11d26a
                  • Opcode Fuzzy Hash: 57e24c7f53b8cd3c78eb12cfad5bf19aca5a6d027e46154f276a0d6c3d658af6
                  • Instruction Fuzzy Hash: 6F21F4B1900259DFDB10CFA9D885BDEFBF4FB48314F04852AE519A7240D374A944DFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744308 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 222 1744308-1744359 224 1744369-17443a2 WriteProcessMemory 222->224 225 174435b-1744367 222->225 226 17443a4-17443aa 224->226 227 17443ab-17443cc 224->227 225->224 226->227
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01744395
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 8ff9a06a327eb9f0cabb6319016b1d98b06354559dbc4c687879d8c33baf29a0
                  • Instruction ID: b24401163a151412e6346bae1789b2ccc939258f89468bc69e09810bc3db3f1d
                  • Opcode Fuzzy Hash: 8ff9a06a327eb9f0cabb6319016b1d98b06354559dbc4c687879d8c33baf29a0
                  • Instruction Fuzzy Hash: 1D21E2B1900259DFDB10CF9AD885BDEFBF4FB48324F04842AE919A3240D778A944CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017440B0 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 229 17440b0-17440fc 231 17440fe-1744106 229->231 232 1744108-1744134 SetThreadContext 229->232 231->232 233 1744136-174413c 232->233 234 174413d-174415e 232->234 233->234
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 01744127
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: 90515d84494842c58a7e11b3a12cd27372353fb19244903a51c1fc3389250dd0
                  • Instruction ID: da552da514bef14c08222bfae00705c32201fe5a3fefc273bc3bf89433e251da
                  • Opcode Fuzzy Hash: 90515d84494842c58a7e11b3a12cd27372353fb19244903a51c1fc3389250dd0
                  • Instruction Fuzzy Hash: 612117B1E006199FDB00CF9AD885BDEFBF4BB48224F14812AD418F3640D778A9448FA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017440AE Relevance: 1.6, APIs: 1, Instructions: 57threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 236 17440ae-17440fc 238 17440fe-1744106 236->238 239 1744108-1744134 SetThreadContext 236->239 238->239 240 1744136-174413c 239->240 241 174413d-174415e 239->241 240->241
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 01744127
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: e25c943b8fe849ba041ba39701ed6d58494ce90ec63244f6704fc0080cebe669
                  • Instruction ID: 02b86311e999257f18eb49f4b1bae2b6bfe898b64708a60a66e949b02c1f1064
                  • Opcode Fuzzy Hash: e25c943b8fe849ba041ba39701ed6d58494ce90ec63244f6704fc0080cebe669
                  • Instruction Fuzzy Hash: 6B1117B1E106199FDB00CF9AD985BDEFBF4BB48224F14812AD418F3640D778A9448FA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744170 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 243 1744170-17441f3 ReadProcessMemory 245 17441f5-17441fb 243->245 246 17441fc-174421d 243->246 245->246
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 017441E6
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: df4264e1fdd0a84f3a16eacfa6917172eb34790b1f9de31bef8dfb664d0e9e7b
                  • Instruction ID: 48b11206dc340609fb114bcc6b552e756ac88b07dab3e3121e773729fc9d3baf
                  • Opcode Fuzzy Hash: df4264e1fdd0a84f3a16eacfa6917172eb34790b1f9de31bef8dfb664d0e9e7b
                  • Instruction Fuzzy Hash: FB2106B59002499FDB10CF9AC884BDEFBF4FB48320F148429E558A3250D374A545DFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0174416E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 248 174416e-17441f3 ReadProcessMemory 250 17441f5-17441fb 248->250 251 17441fc-174421d 248->251 250->251
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 017441E6
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 885dc9c408431b71514aacf5aad79d6b0aef5b82ad43b01a9a62db085637fea2
                  • Instruction ID: 85fd43f2a8c761500e7b3bc341aee131247d38a139c96ba30a60131d24459c51
                  • Opcode Fuzzy Hash: 885dc9c408431b71514aacf5aad79d6b0aef5b82ad43b01a9a62db085637fea2
                  • Instruction Fuzzy Hash: AA2114B5900249DFDB10CF9AC984BDEFBF4FB48320F14842AE558A3250D378A645DFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744258 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 253 1744258-17442d8 VirtualAllocEx 255 17442e1-17442f5 253->255 256 17442da-17442e0 253->256 256->255
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 017442CB
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: b126101fa451416178350a743a40d755037e9688979779a557111cd122dd5b0f
                  • Instruction ID: 1b56aafd7f3dd10c8170d71d27b71e8fdfe1036c568ccc5f299a3c89d00b2236
                  • Opcode Fuzzy Hash: b126101fa451416178350a743a40d755037e9688979779a557111cd122dd5b0f
                  • Instruction Fuzzy Hash: E6110FB6800248DFDB10CF99D988BDEBBF4FB88324F14841AE529A7250C335A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744260 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 258 1744260-17442d8 VirtualAllocEx 260 17442e1-17442f5 258->260 261 17442da-17442e0 258->261 261->260
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 017442CB
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 0741564f63dccef1ccaaf4b32182d398eeac80294c3dd2671fe69e80edf4b0de
                  • Instruction ID: b4e386b85ab3bf14683f5bc1c242afa7eef21b5a9f5400c5f98dd1356c6a6899
                  • Opcode Fuzzy Hash: 0741564f63dccef1ccaaf4b32182d398eeac80294c3dd2671fe69e80edf4b0de
                  • Instruction Fuzzy Hash: CB1110B58002489FCB10CF9AC888BDEFFF4FB88324F148429E529A7250C375A940CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01744440 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 263 1744440-17444ac ResumeThread 265 17444b5-17444c9 263->265 266 17444ae-17444b4 263->266 266->265
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: de4155be671fbf1208ac83d43e94ca2d30fea0f7ac17c40d8bdc0e64f37fcd6a
                  • Instruction ID: 5751456fba980058dcdadaf85ad2b7b909ff8898fd833d659ab336c6013b5dde
                  • Opcode Fuzzy Hash: de4155be671fbf1208ac83d43e94ca2d30fea0f7ac17c40d8bdc0e64f37fcd6a
                  • Instruction Fuzzy Hash: EA1123B18002588FDB10CF9AD489BDEFFF8FB88324F14841AD519A3240C374A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0174443E Relevance: 1.5, APIs: 1, Instructions: 42threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 268 174443e-17444ac ResumeThread 270 17444b5-17444c9 268->270 271 17444ae-17444b4 268->271 271->270
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.258316466.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1740000_1111110789_stripped.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 70d48547425470b8891469b15a9b82e57e9c4b68724541443d7bd3db0ea71913
                  • Instruction ID: d3f0591564de54824933ecd698882aed24a958007719721038faa6740d08fb35
                  • Opcode Fuzzy Hash: 70d48547425470b8891469b15a9b82e57e9c4b68724541443d7bd3db0ea71913
                  • Instruction Fuzzy Hash: 3B11EEB58002598FDB10CF99D589BDEFBF4AB88324F14845AD559B7640C378A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 016ED3C8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.258206438.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_16ed000_1111110789_stripped.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6c8c10f644a08a01272611c58db9e61be84c9b0f31b781551da6d1eb07b5dc4
                  • Instruction ID: 8e07b3e23d4083d73f88e18e1dec40165c38f16950f158a45615aa4a96e76f2f
                  • Opcode Fuzzy Hash: c6c8c10f644a08a01272611c58db9e61be84c9b0f31b781551da6d1eb07b5dc4
                  • Instruction Fuzzy Hash: 052145B1505200DFDB11DF54DDC8B6ABBA5FB98324F24C668E9090B307C336E806C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 016ED4B4 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.258206438.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_16ed000_1111110789_stripped.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0a5e371d1f986dc84d6084466d082b5c3efdf03e3034917b38626bccc501293d
                  • Instruction ID: ce4fdbaee8bbdb8693b411febab32581ffe109125dec01c862a9518cc1b044c5
                  • Opcode Fuzzy Hash: 0a5e371d1f986dc84d6084466d082b5c3efdf03e3034917b38626bccc501293d
                  • Instruction Fuzzy Hash: 172106B1505240DFDB15DF54DCC8B26BBA5FB88328F248669E9094B207C336D856CAA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 016ED4AF Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.258206438.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_16ed000_1111110789_stripped.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction ID: d847ab721f6be274538aa48b518cdf3779dcb915774f56b8f2ae29759a40d50f
                  • Opcode Fuzzy Hash: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction Fuzzy Hash: 5211AFB6504280DFDB12CF54D9C4B16BFB1FB84324F24C6A9D8050B656C336D456CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 016ED3C3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.258206438.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_16ed000_1111110789_stripped.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction ID: 0fdd26c4905cc6a343c139b2c2789c8433541c6646e834c318bdf876997838aa
                  • Opcode Fuzzy Hash: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction Fuzzy Hash: 9211DF76405280CFDB12CF14D9C8B5ABFB2FB94320F24C6A9D8090B617C336E45ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:19.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:33.3%
                  Total number of Nodes:9
                  Total number of Limit Nodes:0
                  execution_graph 11671 17f2558 11672 17f25ae NtProtectVirtualMemory 11671->11672 11674 17f25f8 11672->11674 11675 17f59f0 11676 17f5a0e 11675->11676 11679 17f55cc 11676->11679 11678 17f5a45 11680 17f7510 LoadLibraryA 11679->11680 11682 17f75ec 11680->11682

                  Executed Functions

                  Function 017F2118 Relevance: 1.9, APIs: 1, Instructions: 449nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 426 17f2118-17f214c 427 17f214e-17f2150 426->427 428 17f2158-17f215b 426->428 429 17f24c6-17f24f5 427->429 430 17f2156 427->430 428->429 431 17f2161-17f2184 428->431 446 17f24fc-17f2500 429->446 430->431 434 17f2186-17f2188 431->434 435 17f2190-17f2193 431->435 434->429 437 17f218e 434->437 435->429 438 17f2199-17f21bf 435->438 437->438 441 17f21cd-17f21d1 438->441 442 17f21c1-17f21c5 438->442 441->429 444 17f21d7-17f21e5 441->444 442->429 443 17f21cb 442->443 443->444 450 17f21e7-17f21f2 444->450 451 17f21f4-17f21fc 444->451 448 17f250d-17f25f6 NtProtectVirtualMemory 446->448 449 17f2502-17f250c 446->449 478 17f25ff-17f2624 448->478 479 17f25f8-17f25fe 448->479 452 17f21ff-17f2201 450->452 451->452 454 17f220d-17f2210 452->454 455 17f2203-17f2205 452->455 454->429 457 17f2216-17f2239 454->457 455->429 456 17f220b 455->456 456->457 460 17f223b-17f223d 457->460 461 17f2245-17f2248 457->461 460->429 463 17f2243 460->463 461->429 464 17f224e-17f2272 461->464 463->464 467 17f227e-17f2281 464->467 468 17f2274-17f2276 464->468 467->429 471 17f2287-17f22a8 467->471 468->429 470 17f227c 468->470 470->471 475 17f22aa-17f22ac 471->475 476 17f22b4-17f22b7 471->476 475->429 480 17f22b2 475->480 476->429 477 17f22bd-17f22e1 476->477 484 17f22ed-17f22f0 477->484 485 17f22e3-17f22e5 477->485 479->478 480->477 484->429 487 17f22f6-17f231a 484->487 485->429 486 17f22eb 485->486 486->487 490 17f231c-17f231e 487->490 491 17f2326-17f2329 487->491 490->429 492 17f2324 490->492 491->429 493 17f232f-17f2353 491->493 492->493 495 17f235f-17f2362 493->495 496 17f2355-17f2357 493->496 495->429 498 17f2368-17f237b 495->498 496->429 497 17f235d 496->497 497->498 498->446 500 17f2381-17f23b0 498->500 501 17f23bc-17f23bf 500->501 502 17f23b2-17f23b4 500->502 501->429 504 17f23c5-17f23dd 501->504 502->429 503 17f23ba 502->503 503->504 506 17f23df-17f23e1 504->506 507 17f23e9-17f23ec 504->507 506->429 508 17f23e7 506->508 507->429 509 17f23f2-17f2409 507->509 508->509 512 17f240f-17f2432 509->512 513 17f24b5-17f24be 509->513 514 17f243e-17f2441 512->514 515 17f2434-17f2436 512->515 513->500 516 17f24c4 513->516 514->429 518 17f2447-17f2477 514->518 515->429 517 17f243c 515->517 516->446 517->518 520 17f247f-17f2482 518->520 521 17f2479-17f247b 518->521 520->429 523 17f2484-17f24a1 520->523 521->429 522 17f247d 521->522 522->523 525 17f24a9-17f24ac 523->525 526 17f24a3-17f24a5 523->526 525->429 528 17f24ae-17f24b3 525->528 526->429 527 17f24a7 526->527 527->528 528->446
                  APIs
                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 017F25E9
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID:
                  • API String ID: 2706961497-0
                  • Opcode ID: 27d55c67460ce2f57e8f81512b4d939d69d56be3f4720ad2e0a4171a6c3b3982
                  • Instruction ID: 7fd4e06403e789412569ccfe1213196f38e12f76e3f1ba0ab0b5306da3d088b6
                  • Opcode Fuzzy Hash: 27d55c67460ce2f57e8f81512b4d939d69d56be3f4720ad2e0a4171a6c3b3982
                  • Instruction Fuzzy Hash: 4AE19E71F002158BDB15CAAD8C903AFB6A3AFC8224F19822DDB25DB7D6EB74DC015791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017FE960 Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 529 17fe960-17fe98b 530 17febbd-17febe5 529->530 531 17fe991-17fe998 529->531 546 17febec-17fecf1 530->546 532 17fe99a-17fe9a3 531->532 533 17fe9a4-17fe9c3 531->533 535 17fe9c9-17fe9ea 533->535 536 17febb0-17febbc 533->536 537 17fe9ec-17fe9f0 535->537 538 17fe9f2-17fea20 535->538 537->538 540 17fea22 537->540 542 17fea25-17feaab call 17fdad0 538->542 540->542 601 17feaad call 17fec08 542->601 602 17feaad call 17fe960 542->602 564 17fecf6-17fed04 546->564 558 17feab3-17feac1 call 17fe040 562 17feac3-17feac5 558->562 563 17feb20-17feb24 558->563 567 17feb09-17feb18 562->567 565 17feb67-17feb6e 563->565 566 17feb26-17feb33 563->566 568 17fed0d-17fed58 564->568 569 17fed06-17fed0c 564->569 570 17feb82-17feb86 565->570 571 17feb70-17feb77 565->571 573 17feb47-17feb59 566->573 574 17feb35-17feb3a 566->574 567->563 572 17feb1a 567->572 592 17fed5a 568->592 593 17fed62-17fed66 568->593 569->568 578 17feba8-17febad 570->578 579 17feb88-17feb8f 570->579 571->570 575 17feb79 571->575 576 17feb1c-17feb1e 572->576 577 17feac7-17fead3 572->577 573->578 586 17feb5b-17feb65 573->586 574->573 580 17feb3c-17feb45 574->580 575->570 576->563 576->577 577->546 581 17fead9-17feb08 577->581 578->536 579->578 585 17feb91-17feba7 579->585 580->578 581->567 586->578 592->593 595 17fed68-17fed74 593->595 596 17fed82 593->596 597 17fed7c 595->597 598 17fed76-17fed79 595->598 600 17fed83 596->600 597->596 598->597 600->600 601->558 602->558
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID: <sl
                  • API String ID: 0-3960564624
                  • Opcode ID: ac735890b9ab1e8a89468ac908579f2b702d28aaf850ab8a4b2bf43c1573163b
                  • Instruction ID: f280736ef47793c721b690a5bf1dbecfa7da9e3ceac046202e11d25af97ee978
                  • Opcode Fuzzy Hash: ac735890b9ab1e8a89468ac908579f2b702d28aaf850ab8a4b2bf43c1573163b
                  • Instruction Fuzzy Hash: 2FD18070E00209CFCB15DFA8C484AAEFBF2FF88314F15855AE655AB361DB34A945CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017F2558 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1261 17f2558-17f25f6 NtProtectVirtualMemory 1264 17f25ff-17f2624 1261->1264 1265 17f25f8-17f25fe 1261->1265 1265->1264
                  APIs
                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 017F25E9
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID:
                  • API String ID: 2706961497-0
                  • Opcode ID: 63b63fe8cbaf1169312d44fbffca700bd0aa200ea8aebfade6d743c4b87eca92
                  • Instruction ID: 6396a3aea023abf20a8538c77d3dcf9cade339b59affc2918d998f97e73d46dc
                  • Opcode Fuzzy Hash: 63b63fe8cbaf1169312d44fbffca700bd0aa200ea8aebfade6d743c4b87eca92
                  • Instruction Fuzzy Hash: 042122B1D042499FCB10CFA9D884AEEFBF1FF48314F20842AE569A7250C7359905CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017F9FE8 Relevance: .3, Instructions: 281COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 622066199a1f970493174c3b14a94762b9cb808a5c838c35cd01ef614c6431ff
                  • Instruction ID: 3d8a8205bb62deef5b945c17dbf41a741e25f8a255e64bfb0843ac9b320dc09c
                  • Opcode Fuzzy Hash: 622066199a1f970493174c3b14a94762b9cb808a5c838c35cd01ef614c6431ff
                  • Instruction Fuzzy Hash: 2DB14770E042198FDB10CFA9C8857EEFBF2AF88358F15812DD919A7394EB749845CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017FACC0 Relevance: .3, Instructions: 266COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a330e3a1575a7fcffec48b775274003c5d1f02b2042c68e76fb5603d1da8baac
                  • Instruction ID: 2e1713e9969be467298ea594eeb75d53163c1a143da59914e3e90ba0f3423cac
                  • Opcode Fuzzy Hash: a330e3a1575a7fcffec48b775274003c5d1f02b2042c68e76fb5603d1da8baac
                  • Instruction Fuzzy Hash: 71B12B70E002098FDB14CFA9D8857DEFBF2AF88754F14812DE519AB394EB749885CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017F7504 Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 603 17f7504-17f7567 605 17f7569-17f7573 603->605 606 17f75a0-17f75ea LoadLibraryA 603->606 605->606 607 17f7575-17f7577 605->607 613 17f75ec-17f75f2 606->613 614 17f75f3-17f7624 606->614 608 17f759a-17f759d 607->608 609 17f7579-17f7583 607->609 608->606 611 17f7587-17f7596 609->611 612 17f7585 609->612 611->611 616 17f7598 611->616 612->611 613->614 617 17f7626-17f762a 614->617 618 17f7634 614->618 616->608 617->618 620 17f762c 617->620 621 17f7635 618->621 620->618 621->621
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 5f535105a1fa8bb952dfba5ef93c8d2aca1cff4522f91bd3e56cf13dd42b357f
                  • Instruction ID: cda80ba4a4ab0b496b154818b1a32413c2dddd5115463d19264aefbed359fb8c
                  • Opcode Fuzzy Hash: 5f535105a1fa8bb952dfba5ef93c8d2aca1cff4522f91bd3e56cf13dd42b357f
                  • Instruction Fuzzy Hash: E63102B0D142998FDB18CFA8D88979EFFB1AB08314F14852EE915AB381E7749445CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017F55CC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 622 17f55cc-17f7567 624 17f7569-17f7573 622->624 625 17f75a0-17f75ea LoadLibraryA 622->625 624->625 626 17f7575-17f7577 624->626 632 17f75ec-17f75f2 625->632 633 17f75f3-17f7624 625->633 627 17f759a-17f759d 626->627 628 17f7579-17f7583 626->628 627->625 630 17f7587-17f7596 628->630 631 17f7585 628->631 630->630 635 17f7598 630->635 631->630 632->633 636 17f7626-17f762a 633->636 637 17f7634 633->637 635->627 636->637 639 17f762c 636->639 640 17f7635 637->640 639->637 640->640
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 1247f0f3c2280c715445c4d4f4b56ed3dc78b48c5f7bed296c64ad33e2039001
                  • Instruction ID: 117b23a6d5cc61f9f5495ca40996b44aeb44d8e8c9117ef27f4f2cf642733089
                  • Opcode Fuzzy Hash: 1247f0f3c2280c715445c4d4f4b56ed3dc78b48c5f7bed296c64ad33e2039001
                  • Instruction Fuzzy Hash: 773125B0D042998FDB18CFA8C88979EFBF1BB08314F14852DE915AB380E7749845CF95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 017F1590 Relevance: .4, Instructions: 388COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: def2b079c617530c271c8185f4e69d442deb27283245e4b0b1ff847ce19eebd8
                  • Instruction ID: 2df838c1d06aa5f835a1a2744c1a356d13507cf08ea99397a42c19250179a2e2
                  • Opcode Fuzzy Hash: def2b079c617530c271c8185f4e69d442deb27283245e4b0b1ff847ce19eebd8
                  • Instruction Fuzzy Hash: 8CC17E31F00255C7DB15CA7D8C903AFA1975BC4224F9D823DEB66DBBCAEE7499016381
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017F1580 Relevance: .3, Instructions: 320COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3010695c3dd636c1519d857be99f388c10d3c964d1b0869e629bd93d69111492
                  • Instruction ID: be0770a220274c59411b7e5f55fbc6f98a5d96a7c4e97706c46bf820e458b0a8
                  • Opcode Fuzzy Hash: 3010695c3dd636c1519d857be99f388c10d3c964d1b0869e629bd93d69111492
                  • Instruction Fuzzy Hash: C7916D32F0035587EB18C9AD8C903AFA5975BC4225F8D813DAB46DBB86EE74D9066380
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017F2109 Relevance: .3, Instructions: 315COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e89eeeb0d2c669c8cb9dcfc3f79bd900fc882490b298ea68942c5e08d169c5d6
                  • Instruction ID: 3533930b5697df9b2b64ff9a0989ffea73559648b46b37b9b9e7572eb9397b9b
                  • Opcode Fuzzy Hash: e89eeeb0d2c669c8cb9dcfc3f79bd900fc882490b298ea68942c5e08d169c5d6
                  • Instruction Fuzzy Hash: 3B916B36F0421547EB09C9AD8C903AFA5A3AFC4215F4DC13D9B46DBB8BEEB4DD055284
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 017F9CA0 Relevance: .2, Instructions: 238COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.509902637.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_17f0000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 69032ca617be8987d22843bee07d43b9d7745dbeec7ea4776cb78cd4c64c1b8f
                  • Instruction ID: 895f9b3fd327e18e30899718103625642d9cf7b6c74045563bfe3f9d67aa6896
                  • Opcode Fuzzy Hash: 69032ca617be8987d22843bee07d43b9d7745dbeec7ea4776cb78cd4c64c1b8f
                  • Instruction Fuzzy Hash: 1F915C70E002099FDB14CFA9C9857DEFBF2AF88318F14812DE619A7394DB749885CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:40.6%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:52
                  Total number of Limit Nodes:2
                  execution_graph 1887 14d0448 1888 14d044e 1887->1888 1889 14d0452 1888->1889 1891 14d1bc2 1888->1891 1895 14d2301 1891->1895 1899 14d2310 1891->1899 1892 14d1bdb 1892->1889 1896 14d231c 1895->1896 1897 14d2326 1896->1897 1903 14d3187 1896->1903 1897->1892 1900 14d231c 1899->1900 1901 14d2326 1900->1901 1902 14d3187 14 API calls 1900->1902 1901->1892 1902->1900 1904 14d31a0 1903->1904 1935 14d3c74 1904->1935 1939 14d3c80 1904->1939 1905 14d352a 1906 14d3567 1905->1906 1916 14d40ae SetThreadContext 1905->1916 1917 14d4070 SetThreadContext 1905->1917 1918 14d40b0 SetThreadContext 1905->1918 1913 14d3597 1906->1913 1927 14d40ae SetThreadContext 1906->1927 1928 14d4070 SetThreadContext 1906->1928 1929 14d40b0 SetThreadContext 1906->1929 1907 14d3222 1907->1905 1933 14d416e ReadProcessMemory 1907->1933 1934 14d4170 ReadProcessMemory 1907->1934 1908 14d35bf 1908->1896 1909 14d3308 1914 14d4258 VirtualAllocEx 1909->1914 1915 14d4260 VirtualAllocEx 1909->1915 1910 14d3388 1910->1905 1923 14d4308 WriteProcessMemory 1910->1923 1924 14d4300 WriteProcessMemory 1910->1924 1911 14d33f3 1912 14d34e9 1911->1912 1919 14d4308 WriteProcessMemory 1911->1919 1920 14d4300 WriteProcessMemory 1911->1920 1921 14d4308 WriteProcessMemory 1912->1921 1922 14d4300 WriteProcessMemory 1912->1922 1930 14d443e ResumeThread 1913->1930 1931 14d4500 ResumeThread 1913->1931 1932 14d4440 ResumeThread 1913->1932 1914->1910 1915->1910 1916->1906 1917->1906 1918->1906 1919->1911 1920->1911 1921->1905 1922->1905 1923->1911 1924->1911 1927->1913 1928->1913 1929->1913 1930->1908 1931->1908 1932->1908 1933->1909 1934->1909 1936 14d3c80 CreateProcessAsUserA 1935->1936 1938 14d3f25 1936->1938 1941 14d3d0d CreateProcessAsUserA 1939->1941 1942 14d3f25 1941->1942 1943 14d0402 1944 14d040d 1943->1944 1945 14d0452 1944->1945 1946 14d1bc2 14 API calls 1944->1946 1946->1945

                  Executed Functions

                  Function 014D4070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 014D4127
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID: X
                  • API String ID: 1591575202-3081909835
                  • Opcode ID: 23a86e7d1a552b5aa48e1b2a92b6640822667fa4fd6607a0e3f97a5d9d887a27
                  • Instruction ID: cd349bb36f40c77a2a1b1c2d983a15390f1425516033026f768ad96b782e7513
                  • Opcode Fuzzy Hash: 23a86e7d1a552b5aa48e1b2a92b6640822667fa4fd6607a0e3f97a5d9d887a27
                  • Instruction Fuzzy Hash: 29215C71A0425A9FDB00CFA9D8597EEFFF4EF09314F08829AD518E7651C77469048FA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D4500 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 14 14d4500-14d450c 15 14d450e-14d4529 call 14d09f8 14->15 16 14d4496-14d44ac ResumeThread 14->16 21 14d44ae-14d44b4 16->21 22 14d44b5-14d44c9 16->22 21->22
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID: =
                  • API String ID: 947044025-2322244508
                  • Opcode ID: 5ab182d1d32f8cd7edfc2428232cc6ae49bef3faa6330dea614aed61738991b1
                  • Instruction ID: 94ecc38c1dfab0580a89cb43292254777b00558a1d2c64d08d880ab508ae0de7
                  • Opcode Fuzzy Hash: 5ab182d1d32f8cd7edfc2428232cc6ae49bef3faa6330dea614aed61738991b1
                  • Instruction Fuzzy Hash: D8F0C231804344CFDF21DFA8E4A83DABBF0EB82318F24419BC449D3A61C3795945CB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D3C74 Relevance: 1.8, APIs: 1, Instructions: 267processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 25 14d3c74-14d3d19 28 14d3d6d-14d3d8d 25->28 29 14d3d1b-14d3d40 25->29 33 14d3d8f-14d3db4 28->33 34 14d3de1-14d3e12 28->34 29->28 32 14d3d42-14d3d44 29->32 35 14d3d67-14d3d6a 32->35 36 14d3d46-14d3d50 32->36 33->34 44 14d3db6-14d3db8 33->44 42 14d3e69-14d3f23 CreateProcessAsUserA 34->42 43 14d3e14-14d3e3c 34->43 35->28 37 14d3d54-14d3d63 36->37 38 14d3d52 36->38 37->37 41 14d3d65 37->41 38->37 41->35 56 14d3f2c-14d3fa0 42->56 57 14d3f25-14d3f2b 42->57 43->42 52 14d3e3e-14d3e40 43->52 45 14d3ddb-14d3dde 44->45 46 14d3dba-14d3dc4 44->46 45->34 49 14d3dc8-14d3dd7 46->49 50 14d3dc6 46->50 49->49 51 14d3dd9 49->51 50->49 51->45 54 14d3e63-14d3e66 52->54 55 14d3e42-14d3e4c 52->55 54->42 58 14d3e4e 55->58 59 14d3e50-14d3e5f 55->59 68 14d3fb0-14d3fb4 56->68 69 14d3fa2-14d3fa6 56->69 57->56 58->59 59->59 60 14d3e61 59->60 60->54 71 14d3fc4-14d3fc8 68->71 72 14d3fb6-14d3fba 68->72 69->68 70 14d3fa8 69->70 70->68 74 14d3fd8-14d3fdc 71->74 75 14d3fca-14d3fce 71->75 72->71 73 14d3fbc 72->73 73->71 76 14d3fee-14d3ff5 74->76 77 14d3fde-14d3fe4 74->77 75->74 78 14d3fd0 75->78 79 14d400c 76->79 80 14d3ff7-14d4006 76->80 77->76 78->74 82 14d400d 79->82 80->79 82->82
                  APIs
                  • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 014D3F10
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: CreateProcessUser
                  • String ID:
                  • API String ID: 2217836671-0
                  • Opcode ID: 9c76d2c0fc0ccc0c0e602c1c9938fb2d44392439c23b23985bfa16634c50d2ef
                  • Instruction ID: 2982753a561c13aa7be9dc830d5e7e3c3dab57b1bd68d615ca02db99c206580e
                  • Opcode Fuzzy Hash: 9c76d2c0fc0ccc0c0e602c1c9938fb2d44392439c23b23985bfa16634c50d2ef
                  • Instruction Fuzzy Hash: D6A15C71E002199FDF10CF69C9557DEBBB2FB48314F0481AAE958A73A0DB749985CF82
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D3C80 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 83 14d3c80-14d3d19 85 14d3d6d-14d3d8d 83->85 86 14d3d1b-14d3d40 83->86 90 14d3d8f-14d3db4 85->90 91 14d3de1-14d3e12 85->91 86->85 89 14d3d42-14d3d44 86->89 92 14d3d67-14d3d6a 89->92 93 14d3d46-14d3d50 89->93 90->91 101 14d3db6-14d3db8 90->101 99 14d3e69-14d3f23 CreateProcessAsUserA 91->99 100 14d3e14-14d3e3c 91->100 92->85 94 14d3d54-14d3d63 93->94 95 14d3d52 93->95 94->94 98 14d3d65 94->98 95->94 98->92 113 14d3f2c-14d3fa0 99->113 114 14d3f25-14d3f2b 99->114 100->99 109 14d3e3e-14d3e40 100->109 102 14d3ddb-14d3dde 101->102 103 14d3dba-14d3dc4 101->103 102->91 106 14d3dc8-14d3dd7 103->106 107 14d3dc6 103->107 106->106 108 14d3dd9 106->108 107->106 108->102 111 14d3e63-14d3e66 109->111 112 14d3e42-14d3e4c 109->112 111->99 115 14d3e4e 112->115 116 14d3e50-14d3e5f 112->116 125 14d3fb0-14d3fb4 113->125 126 14d3fa2-14d3fa6 113->126 114->113 115->116 116->116 117 14d3e61 116->117 117->111 128 14d3fc4-14d3fc8 125->128 129 14d3fb6-14d3fba 125->129 126->125 127 14d3fa8 126->127 127->125 131 14d3fd8-14d3fdc 128->131 132 14d3fca-14d3fce 128->132 129->128 130 14d3fbc 129->130 130->128 133 14d3fee-14d3ff5 131->133 134 14d3fde-14d3fe4 131->134 132->131 135 14d3fd0 132->135 136 14d400c 133->136 137 14d3ff7-14d4006 133->137 134->133 135->131 139 14d400d 136->139 137->136 139->139
                  APIs
                  • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 014D3F10
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: CreateProcessUser
                  • String ID:
                  • API String ID: 2217836671-0
                  • Opcode ID: f585cb05cb60075b59a8875d586cb74920fb893f95621e25770e07332d9a1a80
                  • Instruction ID: 626a54585e83d4f577f7cc775a7ec4e6df80403c2f54a4c0a865d429bd1e122f
                  • Opcode Fuzzy Hash: f585cb05cb60075b59a8875d586cb74920fb893f95621e25770e07332d9a1a80
                  • Instruction Fuzzy Hash: 93A14B71E002198FDF14CF69C9517DEBBB2FB48314F0481AAE958A73A0DB749985CF92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D4300 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 211 14d4300-14d4359 213 14d4369-14d43a2 WriteProcessMemory 211->213 214 14d435b-14d4367 211->214 215 14d43ab-14d43cc 213->215 216 14d43a4-14d43aa 213->216 214->213 216->215
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 014D4395
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 617e6ffe1b8e64c8364137b93a5473b51073e3d65565eb6f41d90b8f1169493f
                  • Instruction ID: 8edf5c2de1f056f148ed829c7e79bf9003ccb47af56ea53c69212fd2de2111dd
                  • Opcode Fuzzy Hash: 617e6ffe1b8e64c8364137b93a5473b51073e3d65565eb6f41d90b8f1169493f
                  • Instruction Fuzzy Hash: 0A21F3B1900259DFDF10CFAAD885BDEBBF4FB48310F14852AE518A7650D774A544CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D4308 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 218 14d4308-14d4359 220 14d4369-14d43a2 WriteProcessMemory 218->220 221 14d435b-14d4367 218->221 222 14d43ab-14d43cc 220->222 223 14d43a4-14d43aa 220->223 221->220 223->222
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 014D4395
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 3e64c829c70867892167961a8f8351f479c51c21e5d2ecb1ab4043f5d1280132
                  • Instruction ID: 962dc9b18998be668091de02c9670e28e044493ff34e0f04a0e9d67109bac166
                  • Opcode Fuzzy Hash: 3e64c829c70867892167961a8f8351f479c51c21e5d2ecb1ab4043f5d1280132
                  • Instruction Fuzzy Hash: 4F21E4B1A00259DFDF10CF9AD885BDEBBF4FB48314F14842AE918A3750D774A944CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D40AE Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 225 14d40ae-14d40fc 228 14d40fe-14d4106 225->228 229 14d4108-14d4134 SetThreadContext 225->229 228->229 230 14d413d-14d415e 229->230 231 14d4136-14d413c 229->231 231->230
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 014D4127
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: 6155ab32a15f6cca315aa927b55d90597e8f70266c2910e92846e9f8a20dd3df
                  • Instruction ID: 3f9d1c45a34d1fd5365ce8fa19f3228097387d4689fb09b84dce6ee238fb6c5c
                  • Opcode Fuzzy Hash: 6155ab32a15f6cca315aa927b55d90597e8f70266c2910e92846e9f8a20dd3df
                  • Instruction Fuzzy Hash: 22211AB1E006199FDB10CFAAD885BDEFBF4FB48224F54812AD518B3740D774A9448FA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D40B0 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 233 14d40b0-14d40fc 235 14d40fe-14d4106 233->235 236 14d4108-14d4134 SetThreadContext 233->236 235->236 237 14d413d-14d415e 236->237 238 14d4136-14d413c 236->238 238->237
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 014D4127
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: c7630479bb1caa192e68096fd6a89eb00a3380942f9806f81b6d54b6f6ac4298
                  • Instruction ID: a2759607659cceeb73756af84247b789a9be52360230cf4b055942a7b7852804
                  • Opcode Fuzzy Hash: c7630479bb1caa192e68096fd6a89eb00a3380942f9806f81b6d54b6f6ac4298
                  • Instruction Fuzzy Hash: 5A211AB1E006199FDB10CF9AD885BDEFBF4BB48224F54812AD518B3740D774A9448FA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D416E Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 240 14d416e-14d41f3 ReadProcessMemory 243 14d41fc-14d421d 240->243 244 14d41f5-14d41fb 240->244 244->243
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014D41E6
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: f5566e19f2e279fb86bb428d8ebd99a22c71eca89632b235e09fffa6ed2ccc73
                  • Instruction ID: c9ea9c710a4cd618abae9f445a3908f28cbd76b170d5e2cffef3219906dc18d5
                  • Opcode Fuzzy Hash: f5566e19f2e279fb86bb428d8ebd99a22c71eca89632b235e09fffa6ed2ccc73
                  • Instruction Fuzzy Hash: 0221D6B5900249DFDB10CF9AD884BDEFBF4FB48320F14842AE558A7650D774A645CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D4170 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 246 14d4170-14d41f3 ReadProcessMemory 248 14d41fc-14d421d 246->248 249 14d41f5-14d41fb 246->249 249->248
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014D41E6
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 24e5d397cdffb4606264b33b4158e8c4f27c1b91409801abdec0b0d79bff9b49
                  • Instruction ID: 07d58cbf491ccedc8b055f5ce1f2784be92769705bba373bdad2e947056f499f
                  • Opcode Fuzzy Hash: 24e5d397cdffb4606264b33b4158e8c4f27c1b91409801abdec0b0d79bff9b49
                  • Instruction Fuzzy Hash: 3A21D6B5900249DFDB10CF9AC884BDEBBF4FB48320F14842AE558A7650D774A645CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D4258 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 251 14d4258-14d42d8 VirtualAllocEx 254 14d42da-14d42e0 251->254 255 14d42e1-14d42f5 251->255 254->255
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 014D42CB
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: a6eea7d64b98ae62114ec80414e79ad4c0799c3eb4ed45e8755a0a26c7641788
                  • Instruction ID: 83629ed95c1bdb462b270ba7a947c82d1b3b1d30538f05e52ec0c0c01cb99c28
                  • Opcode Fuzzy Hash: a6eea7d64b98ae62114ec80414e79ad4c0799c3eb4ed45e8755a0a26c7641788
                  • Instruction Fuzzy Hash: EA1102B5800248DFDB10CF9AD888BDFBBF4FB48324F14881AE628A7650C775A544CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D4260 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 257 14d4260-14d42d8 VirtualAllocEx 259 14d42da-14d42e0 257->259 260 14d42e1-14d42f5 257->260 259->260
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 014D42CB
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 1793b6c1e8a37e6ceb29e7be9642f519b63fe7857f5c40ceec0ddd179464ef16
                  • Instruction ID: 508954df04f2ef3149cff8dcb662ee9bed15fa0509d5d532a09d726955170f02
                  • Opcode Fuzzy Hash: 1793b6c1e8a37e6ceb29e7be9642f519b63fe7857f5c40ceec0ddd179464ef16
                  • Instruction Fuzzy Hash: 7011DFB59002499FDB10CF9AD888BDEBBF4EB48324F14841AE628A7650C775A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D443E Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 262 14d443e-14d44ac ResumeThread 265 14d44ae-14d44b4 262->265 266 14d44b5-14d44c9 262->266 265->266
                  APIs
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 9b05f2e52ba415a90ab9015524b57a39fdb06974f8af722b9a7c00add211b85d
                  • Instruction ID: b6b27800fe7499a9ad069ab5b39767c088afad96b3d352e4c6a2ca8a6ecb9d54
                  • Opcode Fuzzy Hash: 9b05f2e52ba415a90ab9015524b57a39fdb06974f8af722b9a7c00add211b85d
                  • Instruction Fuzzy Hash: C31112B18002588FDB10CF9AD488BDEFBF8EB48324F14841AD518A7740C774A984CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 014D4440 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 268 14d4440-14d44ac ResumeThread 270 14d44ae-14d44b4 268->270 271 14d44b5-14d44c9 268->271 270->271
                  APIs
                  Memory Dump Source
                  • Source File: 00000009.00000002.291398068.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_14d0000_msdtc.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 4d395a867128e5f3a41b071bd05ca6c9ff0515bf29d88aefb5b929247b0f4ad2
                  • Instruction ID: 4375b3a33f7e61d7823867c5d56aeb524b50b61d8a30b6132174727d144a4e78
                  • Opcode Fuzzy Hash: 4d395a867128e5f3a41b071bd05ca6c9ff0515bf29d88aefb5b929247b0f4ad2
                  • Instruction Fuzzy Hash: A01112B18002588FDB10CF9AD488BDEFBF8EB48324F14841AD518A3740C774A984CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 0050D3B4 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.297821248.000000000050D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0050D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_50d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c84f9560ba04bf36ad896846441e11fdd43fd922eb8563b0954a3d920cc5b25f
                  • Instruction ID: d6513a1d32024ad8cfe9fa101768734bcafe6f704f982423bebe852f213aa1b9
                  • Opcode Fuzzy Hash: c84f9560ba04bf36ad896846441e11fdd43fd922eb8563b0954a3d920cc5b25f
                  • Instruction Fuzzy Hash: F021DEB1504240DFDF148F54D8C0B2ABF71FB98324F24C969E9094A286C376E846C6B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0050D3AF Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.297821248.000000000050D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0050D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_50d000_RegAsm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6592a2ffbec7cb030ff3a8b202f047f88511b758034c60d7b13c99de5a8e64a1
                  • Instruction ID: c92d5e28eb764ee6e4289fd7443be2243d60e7d8802e08e7c991a15b62c554a6
                  • Opcode Fuzzy Hash: 6592a2ffbec7cb030ff3a8b202f047f88511b758034c60d7b13c99de5a8e64a1
                  • Instruction Fuzzy Hash: ED11E676504280DFDF11CF50D9C4B1ABF71FB94324F24C6A9D8490B656C376E856CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:35%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:50
                  Total number of Limit Nodes:2
                  execution_graph 2251 c002e3 2252 c002ed 2251->2252 2253 c00452 2252->2253 2254 c01bc2 12 API calls 2252->2254 2254->2253 2198 c00448 2199 c0044e 2198->2199 2200 c00452 2199->2200 2202 c01bc2 2199->2202 2206 c02310 2202->2206 2210 c02301 2202->2210 2203 c01bdb 2203->2200 2207 c0231c 2206->2207 2208 c02326 2207->2208 2214 c03187 2207->2214 2208->2203 2212 c02310 2210->2212 2211 c02326 2211->2203 2212->2211 2213 c03187 12 API calls 2212->2213 2213->2212 2215 c031a0 2214->2215 2243 c038f0 2215->2243 2247 c03c80 2215->2247 2216 c03597 2237 c04440 ResumeThread 2216->2237 2238 c0443e ResumeThread 2216->2238 2217 c03222 2223 c0352a 2217->2223 2239 c04170 ReadProcessMemory 2217->2239 2240 c0416e ReadProcessMemory 2217->2240 2218 c035bf 2218->2207 2219 c03308 2241 c04260 VirtualAllocEx 2219->2241 2242 c04258 VirtualAllocEx 2219->2242 2220 c03388 2220->2223 2229 c04300 WriteProcessMemory 2220->2229 2230 c04308 WriteProcessMemory 2220->2230 2221 c033f3 2222 c034e9 2221->2222 2227 c04300 WriteProcessMemory 2221->2227 2228 c04308 WriteProcessMemory 2221->2228 2231 c04300 WriteProcessMemory 2222->2231 2232 c04308 WriteProcessMemory 2222->2232 2224 c03567 2223->2224 2225 c040b0 SetThreadContext 2223->2225 2226 c040ae SetThreadContext 2223->2226 2224->2216 2233 c040b0 SetThreadContext 2224->2233 2234 c040ae SetThreadContext 2224->2234 2225->2224 2226->2224 2227->2221 2228->2221 2229->2221 2230->2221 2231->2223 2232->2223 2233->2216 2234->2216 2237->2218 2238->2218 2239->2219 2240->2219 2241->2220 2242->2220 2244 c038f5 CreateProcessAsUserA 2243->2244 2246 c03f25 2244->2246 2246->2246 2249 c03d0d 2247->2249 2248 c03eac CreateProcessAsUserA 2250 c03f25 2248->2250 2249->2248 2249->2249

                  Executed Functions

                  Function 00C038F0 Relevance: 2.2, APIs: 1, Instructions: 705processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 c038f0-c03d19 8 c03d1b-c03d40 0->8 9 c03d6d-c03d8d 0->9 8->9 12 c03d42-c03d44 8->12 13 c03de1-c03e12 9->13 14 c03d8f-c03db4 9->14 15 c03d46-c03d50 12->15 16 c03d67-c03d6a 12->16 23 c03e14-c03e3c 13->23 24 c03e69-c03f23 CreateProcessAsUserA 13->24 14->13 21 c03db6-c03db8 14->21 18 c03d52 15->18 19 c03d54-c03d63 15->19 16->9 18->19 19->19 22 c03d65 19->22 25 c03dba-c03dc4 21->25 26 c03ddb-c03dde 21->26 22->16 23->24 32 c03e3e-c03e40 23->32 38 c03f25-c03f2b 24->38 39 c03f2c-c03fa0 24->39 27 c03dc6 25->27 28 c03dc8-c03dd7 25->28 26->13 27->28 28->28 31 c03dd9 28->31 31->26 34 c03e42-c03e4c 32->34 35 c03e63-c03e66 32->35 36 c03e50-c03e5f 34->36 37 c03e4e 34->37 35->24 36->36 40 c03e61 36->40 37->36 38->39 48 c03fb0-c03fb4 39->48 49 c03fa2-c03fa6 39->49 40->35 51 c03fc4-c03fc8 48->51 52 c03fb6-c03fba 48->52 49->48 50 c03fa8 49->50 50->48 53 c03fd8-c03fdc 51->53 54 c03fca-c03fce 51->54 52->51 55 c03fbc 52->55 57 c03fee-c03ff5 53->57 58 c03fde-c03fe4 53->58 54->53 56 c03fd0 54->56 55->51 56->53 59 c03ff7-c04006 57->59 60 c0400c 57->60 58->57 59->60 62 c0400d 60->62 62->62
                  APIs
                  • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00C03F10
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: CreateProcessUser
                  • String ID:
                  • API String ID: 2217836671-0
                  • Opcode ID: 5e1ec98d99e0f242c1c7b868c662d3492cdc2142858becdb420637c2010b7ea5
                  • Instruction ID: 240932e8d46848cc6275e1a29f0cbb0b5242b6863d49b13f934d8ae0e495515e
                  • Opcode Fuzzy Hash: 5e1ec98d99e0f242c1c7b868c662d3492cdc2142858becdb420637c2010b7ea5
                  • Instruction Fuzzy Hash: 3EB18C71E002598FDB11CFA8D8817DDBBB6EF49304F0081AAE859E7291DB749A85CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C03C80 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 63 c03c80-c03d19 65 c03d1b-c03d40 63->65 66 c03d6d-c03d8d 63->66 65->66 69 c03d42-c03d44 65->69 70 c03de1-c03e12 66->70 71 c03d8f-c03db4 66->71 72 c03d46-c03d50 69->72 73 c03d67-c03d6a 69->73 80 c03e14-c03e3c 70->80 81 c03e69-c03f23 CreateProcessAsUserA 70->81 71->70 78 c03db6-c03db8 71->78 75 c03d52 72->75 76 c03d54-c03d63 72->76 73->66 75->76 76->76 79 c03d65 76->79 82 c03dba-c03dc4 78->82 83 c03ddb-c03dde 78->83 79->73 80->81 89 c03e3e-c03e40 80->89 95 c03f25-c03f2b 81->95 96 c03f2c-c03fa0 81->96 84 c03dc6 82->84 85 c03dc8-c03dd7 82->85 83->70 84->85 85->85 88 c03dd9 85->88 88->83 91 c03e42-c03e4c 89->91 92 c03e63-c03e66 89->92 93 c03e50-c03e5f 91->93 94 c03e4e 91->94 92->81 93->93 97 c03e61 93->97 94->93 95->96 105 c03fb0-c03fb4 96->105 106 c03fa2-c03fa6 96->106 97->92 108 c03fc4-c03fc8 105->108 109 c03fb6-c03fba 105->109 106->105 107 c03fa8 106->107 107->105 110 c03fd8-c03fdc 108->110 111 c03fca-c03fce 108->111 109->108 112 c03fbc 109->112 114 c03fee-c03ff5 110->114 115 c03fde-c03fe4 110->115 111->110 113 c03fd0 111->113 112->108 113->110 116 c03ff7-c04006 114->116 117 c0400c 114->117 115->114 116->117 119 c0400d 117->119 119->119
                  APIs
                  • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00C03F10
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: CreateProcessUser
                  • String ID:
                  • API String ID: 2217836671-0
                  • Opcode ID: cc7fbab049de76ea4095ff225d45495d8f5cbbfcc867f43286cce5a6471cd0db
                  • Instruction ID: b389a9b850c951a5c7a2141ca80d493c2e88edea4f46dcf75b6ffc9a6d9676c1
                  • Opcode Fuzzy Hash: cc7fbab049de76ea4095ff225d45495d8f5cbbfcc867f43286cce5a6471cd0db
                  • Instruction Fuzzy Hash: 20A13B71E002599FDB10CFA9C9817DDBBB6FB48304F0481A9E819A7291DB749A85CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C04300 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 191 c04300-c04359 193 c04369-c043a2 WriteProcessMemory 191->193 194 c0435b-c04367 191->194 195 c043a4-c043aa 193->195 196 c043ab-c043cc 193->196 194->193 195->196
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00C04395
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: ae6246f6bbd80615400ee122f943c49236f3918576fb50041a30c9a30dd29eac
                  • Instruction ID: c9cf2146c1e27b0861f22b7808bad1aa8af319dbda299469f2c15027731b445b
                  • Opcode Fuzzy Hash: ae6246f6bbd80615400ee122f943c49236f3918576fb50041a30c9a30dd29eac
                  • Instruction Fuzzy Hash: 9B2105B1900259DFDB10CFAAD885BDEBBF4FB48324F14842AE559A3250D778A945CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C04308 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 198 c04308-c04359 200 c04369-c043a2 WriteProcessMemory 198->200 201 c0435b-c04367 198->201 202 c043a4-c043aa 200->202 203 c043ab-c043cc 200->203 201->200 202->203
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00C04395
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 6f872c6190f62f3374933e061484588d5fdd0faaf4bef145656228ca5ba48e8b
                  • Instruction ID: d5996f7b780f17079a70ae3623c14d8dfdf31d6ae909550f93ae9196b18f9091
                  • Opcode Fuzzy Hash: 6f872c6190f62f3374933e061484588d5fdd0faaf4bef145656228ca5ba48e8b
                  • Instruction Fuzzy Hash: 4421E4B1900259DFDB14CF9AD885BDEBBF4FB48324F14842AE918A3290D774A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C040AE Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 205 c040ae-c040fc 207 c04108-c04134 SetThreadContext 205->207 208 c040fe-c04106 205->208 209 c04136-c0413c 207->209 210 c0413d-c0415e 207->210 208->207 209->210
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 00C04127
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: eefde06007e96d3adc4f482f44b6b11f92e6cc057bd371983228372fd8c025c2
                  • Instruction ID: f2f179d094714cdb12be3cc29b147f52dfed18c12054c4cf9af00fa44ab31f5f
                  • Opcode Fuzzy Hash: eefde06007e96d3adc4f482f44b6b11f92e6cc057bd371983228372fd8c025c2
                  • Instruction Fuzzy Hash: 032136B1D0021A9FDB00CF9AD985BDEFBF4BB48324F04812AD518A7240D778A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C040B0 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 212 c040b0-c040fc 214 c04108-c04134 SetThreadContext 212->214 215 c040fe-c04106 212->215 216 c04136-c0413c 214->216 217 c0413d-c0415e 214->217 215->214 216->217
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 00C04127
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: 25047017313e7c6308d48510e7f66e87a5aa094afc5f290d6397ef61488c9c59
                  • Instruction ID: 8ad5ced6b88aaa55e89bbf047f9452c153db66efdda35bba72398004377eac76
                  • Opcode Fuzzy Hash: 25047017313e7c6308d48510e7f66e87a5aa094afc5f290d6397ef61488c9c59
                  • Instruction Fuzzy Hash: 022117B1D106199FDB04CF9AD985BDEFBF8BB48324F14812AD518B3240D778A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C0416E Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 219 c0416e-c041f3 ReadProcessMemory 221 c041f5-c041fb 219->221 222 c041fc-c0421d 219->222 221->222
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C041E6
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: bf164766fbaa729f10ffee0f83459f8eda31ad06cf83ea7ded4e4c1d411f67c2
                  • Instruction ID: c633367cc69179deec3f61dd15d3c8ea8ce68017a5d41386b747bbf3050aaee4
                  • Opcode Fuzzy Hash: bf164766fbaa729f10ffee0f83459f8eda31ad06cf83ea7ded4e4c1d411f67c2
                  • Instruction Fuzzy Hash: 9821F4B5900249DFDB10CF9AC884BDEBBF4FB48320F14842AE568A7250D374A685CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C04170 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 224 c04170-c041f3 ReadProcessMemory 226 c041f5-c041fb 224->226 227 c041fc-c0421d 224->227 226->227
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C041E6
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 446aea8d76fc16ad00e5d1a0ef645e789424a7a7c429451329e86d4b32dc5b34
                  • Instruction ID: e9acd1073de01dfea3f3efded11e7814fda0cebcbbd838c36a4a20c5dd8a48d3
                  • Opcode Fuzzy Hash: 446aea8d76fc16ad00e5d1a0ef645e789424a7a7c429451329e86d4b32dc5b34
                  • Instruction Fuzzy Hash: 5421D6B5900259DFDB10DF9AC884BDFBBF4FB48320F148429E558A7250D774A645CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C04258 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 229 c04258-c042d8 VirtualAllocEx 231 c042e1-c042f5 229->231 232 c042da-c042e0 229->232 232->231
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C042CB
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: e4b04c8dfdb00c787a98b937301ac67b1e4cce5be9710fc26b17a3d256583ce2
                  • Instruction ID: 1acdd9d5091b0eff46a28f5bd1655488c7c4f3afd8ed96b34b8789c69a357508
                  • Opcode Fuzzy Hash: e4b04c8dfdb00c787a98b937301ac67b1e4cce5be9710fc26b17a3d256583ce2
                  • Instruction Fuzzy Hash: D611EFB59002499FDB10CF9AC884BDEBFF4EB48324F14841AE668A7250C375A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C04260 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 234 c04260-c042d8 VirtualAllocEx 236 c042e1-c042f5 234->236 237 c042da-c042e0 234->237 237->236
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C042CB
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: e6c3011c053a123f14acfba20d8b6eedad225485fdcc1a7353fd29cc30b79657
                  • Instruction ID: 31407558b263588cd2548d176406d2dfdad37d4c10d51516f44d32faca1a10fe
                  • Opcode Fuzzy Hash: e6c3011c053a123f14acfba20d8b6eedad225485fdcc1a7353fd29cc30b79657
                  • Instruction Fuzzy Hash: 8011E0B5900249DFDB10CF9AD888BDFBBF8FB48324F148419E629A7250C375A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C04440 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 244 c04440-c044ac ResumeThread 246 c044b5-c044c9 244->246 247 c044ae-c044b4 244->247 247->246
                  APIs
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 659fd614ca1d2cbb332fd15280ed614faaa6f682d81afeadde7c07cfeecf62d3
                  • Instruction ID: fee09be722c200c3c328b85ec59fb6a883d6082eef3921def8249ecf8880123e
                  • Opcode Fuzzy Hash: 659fd614ca1d2cbb332fd15280ed614faaa6f682d81afeadde7c07cfeecf62d3
                  • Instruction Fuzzy Hash: A11123B1800258CFDB10CF9AD488BDFFBF8EB48324F14841AD519A3240C774A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00C0443E Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 239 c0443e-c044ac ResumeThread 241 c044b5-c044c9 239->241 242 c044ae-c044b4 239->242 242->241
                  APIs
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389691356.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_c00000_msdtc.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: e9273f4c747aa4a5fcbaf65099aa854806d68693b124c73af15023d43382e017
                  • Instruction ID: 87bb46d11618a6e36d738105fa451e1b19732300f300d9c27c5784a749521d65
                  • Opcode Fuzzy Hash: e9273f4c747aa4a5fcbaf65099aa854806d68693b124c73af15023d43382e017
                  • Instruction Fuzzy Hash: 311112B1800259CFDB10CF9AD488BDFFBF8EB88324F14841AD529A7250C774A984CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00B5D4B4 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389405152.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_b5d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37d1f7714b7604d999c573b67bd0a9ce621d7b87a2e832f7baf9c6ddb1e76694
                  • Instruction ID: 75b1763eeb78772d248e577af9930cbfc14f9863a16bc9864e6c85e3622641b9
                  • Opcode Fuzzy Hash: 37d1f7714b7604d999c573b67bd0a9ce621d7b87a2e832f7baf9c6ddb1e76694
                  • Instruction Fuzzy Hash: 51212B71504240DFDB25DF14E8C0B26BBA5FBA8319F24C6E9DD054B206D335D849C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00B5D3C8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389405152.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_b5d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 671d1e82aaf3a8a1789e2a0bc3524e1228dee01592c757c66e574efa6d7a2c85
                  • Instruction ID: 3d2fe100d4524cf57bcd2e2d6fb9d2863dc8837cdaf44e882142db7808753ef7
                  • Opcode Fuzzy Hash: 671d1e82aaf3a8a1789e2a0bc3524e1228dee01592c757c66e574efa6d7a2c85
                  • Instruction Fuzzy Hash: 6E212871504240DFDB24DF10D9C4B26BBA5FB98325F24C6E9ED094B346C336E84AC7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00B5D3C3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389405152.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_b5d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction ID: 40c26bdabeaebbd19d3bd6a93e45c4a74d54e1b0448763f5d94ea921ad2fc81c
                  • Opcode Fuzzy Hash: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction Fuzzy Hash: 70119D76504280CFDB21CF10D9C4B16BFB2FB94324F24C6E9D8090B616C336E85ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00B5D4AF Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001B.00000002.389405152.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_27_2_b5d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction ID: e32e70a4b1b9c119613fc2210f13773190e10cdb57bdd0fa8885452b9d7ead7f
                  • Opcode Fuzzy Hash: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction Fuzzy Hash: 7A11AF76504280CFDB12CF14D9C4B1ABFB1FB94324F2486E9DC050B616D336D85ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:30.6%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:8
                  Total number of Limit Nodes:0
                  execution_graph 1653 2c42560 1654 2c425ae NtProtectVirtualMemory 1653->1654 1656 2c425f8 1654->1656 1657 2c42109 1661 2c4214e 1657->1661 1658 2c42502 1659 2c425c7 NtProtectVirtualMemory 1660 2c425f8 1659->1660 1661->1658 1661->1659

                  Executed Functions

                  Function 02C42109 Relevance: 2.0, APIs: 1, Instructions: 453nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 39 2c42109-2c4214c 40 2c4214e-2c42150 39->40 41 2c42158-2c4215b 39->41 42 2c424c6-2c424f5 40->42 44 2c42156 40->44 41->42 43 2c42161-2c42184 41->43 59 2c424fc-2c42500 42->59 47 2c42186-2c42188 43->47 48 2c42190-2c42193 43->48 44->43 47->42 50 2c4218e 47->50 48->42 51 2c42199-2c421bf 48->51 50->51 54 2c421c1-2c421c5 51->54 55 2c421cd-2c421d1 51->55 54->42 57 2c421cb 54->57 55->42 58 2c421d7-2c421e5 55->58 57->58 61 2c421f4-2c421fc 58->61 62 2c421e7-2c421f2 58->62 63 2c42502-2c4250c 59->63 64 2c4250d-2c425f6 NtProtectVirtualMemory 59->64 65 2c421ff-2c42201 61->65 62->65 93 2c425ff-2c42624 64->93 94 2c425f8-2c425fe 64->94 66 2c42203-2c42205 65->66 67 2c4220d-2c42210 65->67 66->42 69 2c4220b 66->69 67->42 70 2c42216-2c42239 67->70 69->70 74 2c42245-2c42248 70->74 75 2c4223b-2c4223d 70->75 74->42 77 2c4224e-2c42272 74->77 75->42 76 2c42243 75->76 76->77 81 2c42274-2c42276 77->81 82 2c4227e-2c42281 77->82 81->42 83 2c4227c 81->83 82->42 84 2c42287-2c422a8 82->84 83->84 88 2c422b4-2c422b7 84->88 89 2c422aa-2c422ac 84->89 88->42 91 2c422bd-2c422e1 88->91 89->42 90 2c422b2 89->90 90->91 96 2c422e3-2c422e5 91->96 97 2c422ed-2c422f0 91->97 94->93 96->42 100 2c422eb 96->100 97->42 101 2c422f6-2c4231a 97->101 100->101 104 2c42326-2c42329 101->104 105 2c4231c-2c4231e 101->105 104->42 107 2c4232f-2c42353 104->107 105->42 106 2c42324 105->106 106->107 109 2c42355-2c42357 107->109 110 2c4235f-2c42362 107->110 109->42 111 2c4235d 109->111 110->42 112 2c42368-2c4237b 110->112 111->112 112->59 114 2c42381-2c423b0 112->114 115 2c423b2-2c423b4 114->115 116 2c423bc-2c423bf 114->116 115->42 118 2c423ba 115->118 116->42 117 2c423c5-2c423dd 116->117 120 2c423df-2c423e1 117->120 121 2c423e9-2c423ec 117->121 118->117 120->42 122 2c423e7 120->122 121->42 123 2c423f2-2c42409 121->123 122->123 126 2c424b5-2c424be 123->126 127 2c4240f-2c42432 123->127 126->114 130 2c424c4 126->130 128 2c42434-2c42436 127->128 129 2c4243e-2c42441 127->129 128->42 132 2c4243c 128->132 129->42 131 2c42447-2c42477 129->131 130->59 134 2c4247f-2c42482 131->134 135 2c42479-2c4247b 131->135 132->131 134->42 137 2c42484-2c424a1 134->137 135->42 136 2c4247d 135->136 136->137 139 2c424a3-2c424a5 137->139 140 2c424a9-2c424ac 137->140 139->42 141 2c424a7 139->141 140->42 142 2c424ae-2c424b3 140->142 141->142 142->59
                  APIs
                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C425E9
                  Memory Dump Source
                  • Source File: 0000001C.00000002.403674349.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2c40000_RegAsm.jbxd
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID:
                  • API String ID: 2706961497-0
                  • Opcode ID: 1bc3143b827c97531755ceb000bfecc80a46ce6bffd8b1c76f216e6252f925f5
                  • Instruction ID: cf197b8a93105a20b3dc19d435cc5f469f89dfd5fd6c288df127f8f82a3716fc
                  • Opcode Fuzzy Hash: 1bc3143b827c97531755ceb000bfecc80a46ce6bffd8b1c76f216e6252f925f5
                  • Instruction Fuzzy Hash: 96E1C332F002044BDB54CABE8C913AF76A3AFC4224F598239EE15DB7C4EF7499019752
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C42560 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 143 2c42560-2c425f6 NtProtectVirtualMemory 146 2c425ff-2c42624 143->146 147 2c425f8-2c425fe 143->147 147->146
                  APIs
                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C425E9
                  Memory Dump Source
                  • Source File: 0000001C.00000002.403674349.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2c40000_RegAsm.jbxd
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID:
                  • API String ID: 2706961497-0
                  • Opcode ID: e5cec636ff0d640c54946c93f455e1a7c96adbbe88bca05fa4fd475302aec14a
                  • Instruction ID: 5e527d36a3aceed44da21e1d2ee7c7d26b020c5a7efb83547766f94569c818ed
                  • Opcode Fuzzy Hash: e5cec636ff0d640c54946c93f455e1a7c96adbbe88bca05fa4fd475302aec14a
                  • Instruction Fuzzy Hash: 6721C0B1D002499FCB10DFAAD984ADEFBF5FF48314F50842AE919A7240C775A944CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 0075D4B4 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000026.00000002.506857523.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_38_2_75d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 642540e2c4bb6b063d1cf9a84b18b6c4bd1d6ca43ee1189ae475d04a8f6b10bf
                  • Instruction ID: 67a4e2f377a662ade063cdc707a4d9f2a073a8179c3753b08e8e3c3c2fddcb22
                  • Opcode Fuzzy Hash: 642540e2c4bb6b063d1cf9a84b18b6c4bd1d6ca43ee1189ae475d04a8f6b10bf
                  • Instruction Fuzzy Hash: E52148B1504240DFDB31CF14D8C0B66BB61FB98329F24C568EC094B206D37ADC59C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0075D3C8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000026.00000002.506857523.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_38_2_75d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9d9427ea40f42299ac3989a84bc8084ed4ae7298d75e412ab1e8cd5783b0d2cc
                  • Instruction ID: 33d8a335ed7ea22e3bd4ee602b813c11f9e1c463cfa153c1cb3c4b08bf54b308
                  • Opcode Fuzzy Hash: 9d9427ea40f42299ac3989a84bc8084ed4ae7298d75e412ab1e8cd5783b0d2cc
                  • Instruction Fuzzy Hash: F82103B1504280DFDB34DF10D9C4B66BB66FB98325F24C569ED094B246C37AEC4AC6A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0075D3C3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000026.00000002.506857523.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_38_2_75d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction ID: af0e28fc4d640aafc0e2bab72226759691ee8a25ed154c5b43229933b4adcf04
                  • Opcode Fuzzy Hash: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction Fuzzy Hash: AD11B176504280CFDB21CF10D9C4B56BF72FB94324F24C6A9DC090B616C37AE85ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0075D4AF Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000026.00000002.506857523.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_38_2_75d000_msdtc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction ID: 0fc9aec6875bbc4974c1c50d2e8712187ceb681cd9fe6264b32fda8f1558e991
                  • Opcode Fuzzy Hash: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
                  • Instruction Fuzzy Hash: 8B11D376504280CFDB22CF14D9C4B56BF72FB94324F24C6A9DC050B616D37AD96ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%